Re: Re: Making addslashes() multibyte aware

From:	Adam Harvey	Date:	Mon, 16 Dec 2013 20:54:30 +0000
Subject:	Re: Re: Making addslashes() multibyte aware
References:	1 2	Groups:	php.internals
Request:	Send a blank email to internals+get-70675@lists.php.net to get a copy of this message

On 16 December 2013 12:44, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> I don't think locale based MBCS support is optimum, but I'll add it to
> addslashes() for now.

I don't think basing behaviour on the locale is a great idea (as
evidenced by the various issues with Turkish and Azeri over the
years). Could we just add an explicit encoding parameter like
htmlspecialchars()?

> Question is where should I start?
> It's security issue for certain char encodings such as SJIS/BIG5.

Is there a case other than database access (where we've been directing
users to better APIs like PDO and mysqli for several years, at least)
where this is likely to cause security issues?

> I'll fix php_addslashes(). Therefore, any functions that use it internally
> are affected. e.g. var_export(), etc. Users are not affected as long as
> they are using correct locale.
>
> Should I fix this from 5.3?

This feels like it has the potential to be a really nasty implicit BC
break. I don't think we'd want to change default behaviour on any
stable branch, honestly.

Adam


   

Thread (7 messages)

• Yasuo OhgakiSat, 14 Dec 2013 04:22:38 +0000
  • Yasuo OhgakiMon, 16 Dec 2013 20:44:02 +0000Re: Making addslashes() multibyte aware
    • Adam HarveyMon, 16 Dec 2013 20:54:30 +0000Re: Re: Making addslashes() multibyte aware
      • Yasuo OhgakiMon, 16 Dec 2013 21:41:39 +0000
        • Sherif RamadanMon, 16 Dec 2013 22:13:07 +0000
          • Yasuo OhgakiMon, 16 Dec 2013 22:38:07 +0000
            • Yasuo OhgakiMon, 16 Dec 2013 22:49:10 +0000