[wp-hackers] add_magic_quotes fail

[Mark E]

Hi All,

In the WordPress file wp-includes/functions.php, somewhere around line 
1460, there is the function add_magic_quotes. That function does the 
add_slashes to sanitize data.

However, when handling an array of data that includes objects within 
objects, it will crash because the code is written to only expect arrays 
and strings.

For example, if a third-party plugin adds it's own object to the 
WordPress user data object, then when a profile is edited the update 
process will fail with a fatal error.

So I think add_magic_quotes ought to be modified to check for nested 
objects, either that, or the WordPress code that handles updating user 
profile data needs to handle it. One way or the other.

See registration.php around line 260, where we find this problem:

         // First, get all of the original fields
         $user = get_userdata($ID);

         // Escape data pulled from DB.
         $user = add_magic_quotes(get_object_vars($user));

Doh.


Mark