Plan on using PHP 5 for the next 8 years...

[tibberous]

http://us.php.net/magic_quotes

 

Magic quotes are gone in version 6. That means that SQL injections are back, and PHP 6 is going to be as hard to switch to as version 4 was with the register_globals switch, only far worse because magic quotes can't be turned on, and because hackers are going to have free rein over most the worlds PHP 6 sites.

 

I'm guessing this is to get rid of amateurs and mean more work for us PHP guys - just now I'm gonna have to hear about it from my jsp-loving friend =/

[TheFilmGod]

http://us.php.net/magic_quotes

 

Magic quotes are gone in version 6. That means that SQL injections are back, and PHP 6 is going to be as hard to switch to as version 4 was with the register_globals switch, only far worse because magic quotes can't be turned on, and because hackers are going to have free rein over most the worlds PHP 6 sites.

 

I'm guessing this is to get rid of amateurs and mean more work for us PHP guys - just now I'm gonna have to hear about it from my jsp-loving friend =/

 

This is a good thing. I'm tired of people trying to code secure things like passwords/usernames and not know how to use pattern checking and use validation properly.

 

Magic quotes was just "the easy way out."

[PFMaBiSmAd]

If you were relying on magic quotes being on to escape data, that was just being lazy (expecting the programming language to do something for you that you should have been writing code to do.)

 

See these proper ways of escaping data that will always work, irregardless of php version or php configuration - http://php.net/mysql_real_escape_string and http://www.php.net/manual/en/function.addslashes.php

[neylitalo]

I'm guessing this is to get rid of amateurs and mean more work for us PHP guys

 

No, it's because there was an overwhelming negative response to magic_quotes_gpc. Magic quotes were, as has been said before, the lazy way out, and more often than not, were responsible for breaking more stuff than they fixed. Anything that eliminates poor practices is a good thing, in this man's opinion.

 

irregardless

 

No such word. Regardless is what you're looking for.

[Daniel0]

Magic quotes are gone in version 6. That means that SQL injections are back

Only if you're a crap programmer (hope I didn't offend anyone).

[Liquid Fire]

That means that SQL injections are back, and PHP 6 is going to be as hard to switch

 

This is only true is you still rely on them.  No offense but only noobish programmers still think magic quotes are a good idea.  It would not be bad if this move gets rid of some crappy programmers(which IMO has been a problem for good PHP programmers)

[testtesttesttest]

We'll, yes, you can write scripts without it, and yes, it will work fine if your good. Though by the same logic we could all write websites in C that bound to the correct socket and handled the GET and POST requests - would want to take the easy way out and use a crutch like apache, 'good' programmers could still do it.

 

 

I'm just saying that what makes languages good or bad are their features - the 'proper' way is the easy way, unless their is a strong reason why the easy way is bad. Yes - magic quotes isn't needed, and putting addslashes before every $_POST will make up for not having it - still annoying...

[Daniel0]

Yes - magic quotes isn't needed, and putting addslashes before every $_POST will make up for not having it - still annoying...

 

That depends on the programmer.

<?php
class Database_MySQL extends Database
{
// ...
public function insert($table, array $data = array())
{
	$columns = $values = array();
	foreach($data as $key => $value)
	{
		$columns[] = "`{$key}`";
		$values[]  = '?';
	}

	$query = "INSERT INTO `{$table}` (" . join(', ', $columns) . ') VALUES (' . join(', ', $values) . ')';

	$statement = $this->db->prepare($query);

	return $statement->execute(array_values($data));
}
// ...
}
?>

Code uses PDO.

 

I know some people do this:

<?php
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$email = mysql_real_escape_string($_POST['email']);
// etc...

but that's their choice.

 

Also, you might not always need the data with slashes so it makes more sense to add it when needed instead of removing them when it's not.

[ardyandkari]

Magic quotes are gone in version 6. That means that SQL injections are back

Only if you're a crap programmer (hope I didn't offend anyone).

 

:'(

 

I'm a crap programmer you TURD!!!

 

:'(

[448191]

Ooo, I'm loving this.. Popcorn anyone?

 

[zachrb]

lol, I dont know half of what yall are talking about. I am that big of a noob at PHP.

[juke]

lol, I dont know half of what yall are talking about. I am that big of a noob at PHP.

 

Check out http://davidwalsh.name/upcoming-php6-additions-changes/

 

All the new stuff being added and removed in the upcoming version of PHP. :>

[acidglitter]

quotes always confused me when i switched servers. i think this will make everything a lot more simple

[atholon]

When is the ETA of PHP 6?

[tibberous]

Wow... I didn't even know about the other stupid changes =/ Thankfully I just bought a dedicated and can keep PHP5 - since at the rate there going PHP7 is going to be JSP with dollar signs... then in PHP8 they can deprecate $'s, since you really should give variables strict types...

[Liquid Fire]

Wow... I didn't even know about the other stupid changes =/ Thankfully I just bought a dedicated and can keep PHP5 - since at the rate there going PHP7 is going to be JSP with dollar signs... then in PHP8 they can deprecate $'s, since you really should give variables strict types...

I don't know to much about Java but PHP is not that like java, First of all, Java is fully OOP and i don't think PHP is going to go that way(however they should still fully support Objects, I wish they they would support multiple inheritance).  Also strict typing is not a bad thing but that is also something else i doubt they would get rid of.

[Daniel0]

OOP is not just "using objects"...

[Stooney]

Also, safe mode is removed in php6.  Thought I'd add that.

[tomfmason]

and putting addslashes before every $_POST will make up for not having it - still annoying...

 

yeah, addslashes will make up for the lack of magic quotes but it is not enough to stop all types of sql injections. If you think addslashes or magic quotes are enough, you may want to consider reading some of the comments in the manual http://php.net/addslashes . IMHO, that is the reason that magic quotes are being phased out.

[Liquid Fire]

I think most of the changes are going to make PHP more secure because people are not going to have to make sure themself that things are programmed right instead of thinking things like magic quotes will save them.

 

The only things that makes no sense at all is the no more {} inside double quotes string which will be replaced with [](I think to no the reason behind this because i have a big feeling this will break A LOT of existing php 5 code if people try to upgrade to PHP 6.

[Daniel0]

The only things that makes no sense at all is the no more {} inside double quotes string which will be replaced with [](I think to no the reason behind this because i have a big feeling this will break A LOT of existing php 5 code if people try to upgrade to PHP 6.

 

You misinterpreted that. This is the change:

<?php
$string = 'hello';

echo $string[0]; // correct in PHP6
echo $string{0}; // wrong in PHP6
?>

[Liquid Fire]

oh so "the variable value is {$value}" will still be value in PHP6?  I did not even know you could access array indexes with {}.

[Daniel0]

Sure it will. It would break far to many scripts if they removed that.

[redarrow]

this is old {} from php6 your need to set it as on from php6

 

oh so "the variable value is {$value}" will still be value in PHP6?  I did not even know you could access array indexes with {}.

 

default will be the [] ok.

 

ps. your title php5 in 8 years, might i guess be php 9 i think,

 

good luck.....((even echo might be gone then lol))