[wp-hackers] Magic quotes "on" forever?
ruben at gewooniets.nl
Thu May 6 06:11:15 UTC 2010
I think it would be a good idea to push everyone forward. Is there
currently any way for the plugin author to know whether the
superglobals are escaped or not? If not, why don't we add something
the authors can test for? That way (a) plugin authors get a way to
transform their plugin to a more decent style of escaping without
breaking it directly. And (b) once more and more plugins have a check
for escaped superglobals this feature can be disabled once and for
all, which is a good thing if you ask me. Escaping the superglobals
using addslashes doesn't really add much security, as there are still
SQL injection attacks possible.
On Wed, May 5, 2010 at 23:33, Peter Westwood <peter.westwood at ftwr.co.uk> wrote:
> On 5 May 2010, at 22:25, Mark Waterous wrote:
>> Doesn't it seem a little outdated to be doing this when even PHP is removing
>> the feature from it's core set of directives? Such security issues should be
>> handled inside of the database abstraction and not on a global scale, but
>> then I probably just don't understand the implementation due to not seeing
>> it from a core developers pov.
> From memory the issue is that too many plugins rely on the fact that the SuperGlobals are already escaped and don't use the more recent prepare stuff.
> Therefore if we remove this we risk making all those plugins vulnerable.
> Peter Westwood
> http://blog.ftwr.co.uk | http://westi.wordpress.com
> C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers