[TYPO3-core] PHP requirement version for TYPO3 4.0
Michael Scharkow
michael at underused.org
Tue Jan 3 12:27:23 CET 2006
Dmitry Dulepov wrote:
> You never know how it is configured on the server side (unless it is
> typo3.org or typo3.com :)).
And you also never know whether they have register_globals on, or
username=password on their telnet account. Do we really have to work
every possible idiot messing with webservers?
> addslashes does not escape *all* required characters.
> mysql_real_escape_string takes into account all characters that should
> be escaped.
> mysql_real_escape_string *is* the correct way to escape parameters for
> mysql.
>
> There is no need to raise PHP version requirements: use
> mysql_real_escape_string if it is available and mysql_escape_string if
> it is not.
So the solution is to write yet another wrapper that wraps the various
escape functions into one call?
AFAIK, even Debian Sarge has PHP 4.3, so are there any responsible
webmasters on earth who still have lower versions installed on their
C64? And do we need to support those?
I still have not understood how this affects all the other databases for
DBAL, do we need yet another wrapper for those?
Cheers,
Michael
BTW: How on earth did we came to use PHP for TYPO3. I mean, how would
anybody want to use a language whose library includes addslashes,
mysql_escape_string and real_mysql_escape_string (plus all the
mysqli-aliases for complete unmaintainability!) for just one damn small
function?
We could as well just set
almost_working_now_with_only_some_security_leaks_left = 1 or
*real*-safemode = 1
in php.ini
More information about the TYPO3-team-core
mailing list