[wp-hackers] add_magic_quotes() Plans for removal?

Peter Westwood peter.westwood at ftwr.co.uk
Mon Mar 7 15:25:57 UTC 2011


On 7 Mar 2011, at 14:58, Kevin Newman wrote:

> I recently wrestled with the same problem. I checked the php setting (get_ini), and failed to understand why everything is still escaped, even when the php.ini setting shows it was clearly disabled (until I found the actual function that does it, and some really really old forum posts).
> 
> Suggested fixes:
> 
> 1. When you re-escape everything, also set the magic quotes ini setting. If setting the php.ini flag doesn't get reflected in get_ini, at least add a WP function to check whether this is disabled (or add it to some document somewhere).
> 
> 2. Add a wp-config setting that simply turns off the WP auto-magic-quotes.
> 
> I understand why it was done, and why there has been no effort to change it, but if PHP core can go through the pain, surely WordPress can handle the change too.
> 

As has been said in response to previous threads on this subject.

We would love to remove this code but we can't without opening up numerous possible security issues in plugins which unfortunately rely on it.

If you want to go through and review every plugin in the plugin repo.
Create patches and get them accepted by the plugin authors.

Then we can consider removing this code. Until then it is not a good idea.

Cheers
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-hackers mailing list