[wp-hackers] wp_magic_quotes makes me sad panda

Lox lox.dev at knc.nc
Fri Oct 1 05:31:16 UTC 2010


Hi,

Escaping automatically all GPC data is definitely a performance issue and
not a good practice. It has been recognized like so for a long time now and
is now deprecated (
http://www.php.net/manual/en/security.magicquotes.whynot.php)

Programmers that begin php dev with wordpress, will definably end up behind
bad programmers no escaping their data when needed and thus writing
unsecured code.

In my opinion, wordpress should NOW:

- plan the change to using un-escaped GPC data and communicate about it to
all plugin devs.

- provides wrapper functions to access un-escaped GPC data, that could be
extended in the future with data checking/filtering

- communicate about those functions as THE way to get Request data, and
about how to properly escape data and when

The reason stating that wordpres has to escape GPC data for servers
compatibility is just *a non sense*! As WP adds the slashes autamically, if
magic_quote_gpc is off on the server, it could also remove them
automatically if the server configuation has magic_quote_gpc set to on.

Regards

-- 
Lox
lox.dev at knc.nc


More information about the wp-hackers mailing list