[wp-hackers] Magic quotes "on" forever?

[John Blackbourn]

On Thu, May 6, 2010 at 7:11 AM, Ruben Nijveld <ruben at gewooniets.nl> wrote:
> I think it would be a good idea to push everyone forward. Is there
> currently any way for the plugin author to know whether the
> superglobals are escaped or not? If not, why don't we add something
> the authors can test for? That way (a) plugin authors get a way to
> transform their plugin to a more decent style of escaping without
> breaking it directly. And (b) once more and more plugins have a check
> for escaped superglobals this feature can be disabled once and for
> all, which is a good thing if you ask me. Escaping the superglobals
> using addslashes doesn't really add much security, as there are still
> SQL injection attacks possible.
>
> - Ruben

This issue was raised (in a rather less constructive manner) on Trac
back in July http://core.trac.wordpress.org/ticket/10452 .

The general concensus (Ryan, Lloyd, Dion) was the same as what Westi
and Otto have just mentioned, that it would be great to remove the
magic quote emulation but the issues with backward compatibility are
too great. There are simply too many plugins out there that expect
escaped data that it would be asking for trouble.

Additionally, removing magic quote emulation would mean that plugins
would have to go back to checking for get_magic_quotes_gpc() (or a
similar WordPress function) and the whole reason WordPress emulates
magic quotes in the first place is to avoid this. So maybe we're stuck
with this forever?

I think more important is consistency, and that's what we've got at
the moment. Everything is magic quoted, and everyone knows this (and
if they don't they soon find out), so we're ok.