[wp-hackers] Escaping post meta values

Ryan McCue lists at rotorised.com
Thu May 23 05:05:24 UTC 2013

Otto wrote:
> I agree that it's not ideal (and indeed, stupid in a way), but I 
> wouldn't go so far as to call it insane.
I'd say that it's definitely insane. SQL escaping should be moved down 
the stack as much as possible, and it should be opaque to the point that 
I'd have no idea that user meta is stored in an SQL database without 
looking at the code.

Escaping the data at such a high level is definitely insane. At the 
opposite end of the spectrum, you end up with magic quotes, and I think 
we all know why that's a horrible idea.

Ryan McCue

More information about the wp-hackers mailing list