[TYPO3-core] PHP requirement version for TYPO3 4.0

[Dmitry Dulepov]

Hi!

Michael Scharkow wrote:
>>You never know how it is configured on the server side (unless it is
>>typo3.org or typo3.com :)).
> And you also never know whether they have register_globals on, or 
> username=password on their telnet account. Do we really have to work 
> every possible idiot messing with webservers?

Yes, when it comes to security.

>>addslashes does not escape *all* required characters.
>>mysql_real_escape_string takes into account all characters that should
>>be escaped.
>>mysql_real_escape_string *is* the correct way to escape parameters for
>>mysql.
>>
>>There is no need to raise PHP version requirements: use
>>mysql_real_escape_string if it is available and mysql_escape_string if
>>it is not.
> 
> So the solution is to write yet another wrapper that wraps the various 
> escape functions into one call?

if (function_exists('mysql_real_escape_string'))
	$result = mysql_real_escape_string(...);
else
	$result = mysql_escape_string(...);

I wrote it for you :)

> AFAIK, even Debian Sarge has PHP 4.3, so are there any responsible 
> webmasters on earth who still have lower versions installed on their 
> C64? And do we need to support those?

No comment on this since I did not understand what is the problem.

> I still have not understood how this affects all the other databases for 
> DBAL, do we need yet another wrapper for those?

DBAL should have its own quoteStr-like function which uses appropriate
escaping function from the database driver. For example pg_escape_string
for PostgreSQL and sqlite_escape_string for SQLite.

> BTW: How on earth did we came to use PHP for TYPO3. I mean, how would 
> anybody want to use a language whose library includes addslashes, 
> mysql_escape_string and real_mysql_escape_string (plus all the 
> mysqli-aliases for complete unmaintainability!) for just one damn small 
> function?

May be you need to cool down a little? :) What has happened to you in
the last two days? :)

Dmitry.