On Fri, Apr 16, 2010 at 12:51:23AM +0200, Johannes Schlter wrote:
> > Removing magic_quotes would be soooooooooooo great. BUT the issue is> that most users don't know about it. Many applications are more or less> secure due to its existence. The apps aren't fully secure but a few less> vectors.
One way to remove magic_quotes without opening massive quantities of
security holes would be implementing taint mode support
(http://wiki.php.net/rfc/taint) and having the default taint_error_level
be E_FATAL.
Yes, this creates a painful upgrade path for the multitudes using
insecure coding practices. But it will hurt a lot less than having their
applications inadvertently subverted by hackers/crackers/spammers/etc due
to upgrading PHP.
--Dan
--
T H E A N A L Y S I S A N D S O L U T I O N S C O M P A N Y
data intensive web and database programming
http://www.AnalysisAndSolutions.com/
4015 7th Ave #4, Brooklyn NY 11232 v: 718-854-0335 f: 718-854-0409