rfc:magicquotes_finale

Request for Comments: Magic Quotes in PHP, the Finalé

Introduction

Magic Quotes needs to be done away with. This needs to be done in a safe, orderly manner.

Common Misconceptions

1) Magic Quotes are already off. While they are set to off in our distributed php.ini files, they are on by default in PHP itself.

2) Magic Quotes already raise an E_DEPRECATED message. The message is only raised when explicitly setting “magic_quotes_* = On.” People on systems using PHP's default values do not get any warning about Magic Quotes being deprecated.

3) Magic Quotes isn't a safety feature. Yes, administrators and programmers relying on this feature are misguided. None the less, there are people (unknowingly) relying on this behavior to escape their SQL statements. Turning it off by default without explicitly warning users via the language itself will open security holes.

Proposal

5.4

  • Raise E_DEPRECATED when running the CGI or any web server SAPI and a php.ini file does not contain “magic_quotes_gpc = Off”.
  • PHP's default value for magic_quotes_gpc remains as on.

trunk (5.4 + 1 major release)

  • Raise E_ERROR when running the CGI or any web server SAPI and a php.ini file does not contain “magic_quotes_gpc = Off”.
  • Set PHP's default value for magic_quotes_gpc to off.

5.4 + 2 major releases

“removal” What do people think should happen here? Please discuss.

References

Changelog

rfc/magicquotes_finale.txt · Last modified: 2011/10/25 17:12 by danielc