[wp-hackers] wp_magic_quotes makes me sad panda
peter.westwood at ftwr.co.uk
Fri Oct 1 10:54:30 UTC 2010
On 1 Oct 2010, at 06:31, Lox wrote:
> Escaping automatically all GPC data is definitely a performance issue and
> not a good practice. It has been recognized like so for a long time now and
> is now deprecated (
> Programmers that begin php dev with wordpress, will definably end up behind
> bad programmers no escaping their data when needed and thus writing
> unsecured code.
> In my opinion, wordpress should NOW:
> - plan the change to using un-escaped GPC data and communicate about it to
> all plugin devs.
> - provides wrapper functions to access un-escaped GPC data, that could be
> extended in the future with data checking/filtering
> - communicate about those functions as THE way to get Request data, and
> about how to properly escape data and when
> The reason stating that wordpres has to escape GPC data for servers
> compatibility is just *a non sense*! As WP adds the slashes autamically, if
> magic_quote_gpc is off on the server, it could also remove them
> automatically if the server configuation has magic_quote_gpc set to on.
If you want to test and provide a patch for every single plugin in the repo so that it works once this is done and before it is done then we might be able to consider this.
Otherwise you are just flogging a dead horse - we value backwards compatibility and our ability to work in as many hosting environments as possible.
This is what has made WordPress a successful platform
A project that runs in so many different locations as WordPress does has to work with the lowest common denominator of scenarios and can't change just because something is a better way to do it now.
Don't blame us because PHP used to be so broken in this respect :-( we are doing the best for the users we can do to keep them secure!
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5
More information about the wp-hackers