[wp-hackers] Magic Quoting removal Road Map/Plan

Jari Pennanen ciantic at oksidi.com
Fri Jun 10 14:57:12 UTC 2011


I've been doing plugins and Wordpress themes now for few weeks, and I
just discovered that there is nasty ancient relic: MAGIC QUOTING,
still enforced in WP. Needless to say it has to be abolished some
time. But I found out that there is no plan, or any kind of road map
to get rid of it!

So I decided to post my plan here:

1. First phase, add some identifier it does not matter what as long as
it is there telling they are quoted, it is better than nothing and
does not break anything:

  function wp_magic_quotes() {
    set_magic_quotes_runtime(true); // <PHP5.3
    ini_set('magic_quotes_runtime', true); // >PHP5.3
    // atleast WP Specific, if above does not work?
    $WP_MAGIC_QUOTES = true;

All plugin developers should be then encouraged to stripslashes
*conditionally* based on this attribute which ever is used.

1. First phase (optional) (slight memory overhead but then again WP
has a lot of memory overhead already, and this one is for good cause):

This would make adding external libraries faster: Store untouched
"pure" version of the superglobals to the alternative superglobal so
that one could simply *search/replace* external libraries for $_POST

  function wp_magic_quotes() {
    // Currently search & replace with
    // stripslashes that does not always work
    // Following is not pretty, but makes patching
    // external libs fast only search / replace:
    $_POST = add_magic_quotes( $_POST );

Both of these first phase ideas are such that does *not* break
backwards compatibility, only improve forward compatibility.

2. Phase get rid of ORIGINAL_POST, ORIGINAL_GET if any, secondly set
the WP_MAGIC_QUOTES = false, then one can "almost" safely remove the
magic quoting. But for those who care about backwards compatibility we
can do same trick as in first phase but for quoted variables:

  function wp_magic_quotes() {
    $_SERVER['QUOTED_POST'] = add_magic_quotes($_POST);

Old plugins should simply replace $_POST -> $_SERVER['QUOTED_POST] if
they are not in mood to fix their plugins all the way.

New libraries/plugins could simply use PHP default behavior of _POST -
no more hacks for new libraries!

3. Phase get rid of whole wp_magic_quotes! Mission accomplished.


P. S. please do not only consider phase 1, do it! It costs nothing -
only one variable WP_MAGIC_QUOTES = true and everyone could
conditionally start stripslashing according to this variable.

More information about the wp-hackers mailing list