On Thu, 9 Feb 2006 9:55:57 -0600, phil phil@cryer.us wrote:
On Thu, 9 Feb 2006 14:48:17 +0100, Thomas -Balu- Walter list+roundcube-dev@b-a-l-u.de wrote:
On Thu, Feb 09, 2006 at 10:26:53AM -0300, Lic. Martin Marques wrote:
On Thu, 9 Feb 2006, Thomas -Balu- Walter wrote:
If you tell people to switch that off, they might get problems with other scripts.
They can always have diferent settings for diferent directory
definitions
in the web server.
As I said before, magic_quotes is a very bad thing, and security must come from the programmer, not an automatic quoter.
I absolutely agree with you here. But the programmer should also make his software user/admin friendly and I don\'t think the 5 lines workaround needed to fix this problem are too much hassle for the coder...
You will have more problems telling website-\"admins\" (which usually don\'t know a bit of webserver administration) to change a PHP setting - just for this subdirectory - been there, done that ;).
In drupal the distributed .htaccess has the following:
# Override PHP settings. More exist in sites/default/settings.php, but # the following cannot be changed at runtime.
<IfModule sapi_apache2.c> php_value magic_quotes_gpc 0 php_value register_globals 0 php_value session.auto_start 0 </IfModule>
"...to disable magic quotes completely, without the need to adjust your php.ini file or (re)process the user's input. [...] in the .htaccess file, add a line"
php_flag magic_quotes_gpc off
http://us3.php.net/manual/en/security.magicquotes.php#61589
P
http://fak3r.com - you don't have to kick it