[wp-hackers] Magic Quoting removal Road Map/Plan
Jari Pennanen
ciantic at oksidi.com
Fri Jun 10 14:57:12 UTC 2011
Hello!
I've been doing plugins and Wordpress themes now for few weeks, and I
just discovered that there is nasty ancient relic: MAGIC QUOTING,
still enforced in WP. Needless to say it has to be abolished some
time. But I found out that there is no plan, or any kind of road map
to get rid of it!
So I decided to post my plan here:
1. First phase, add some identifier it does not matter what as long as
it is there telling they are quoted, it is better than nothing and
does not break anything:
function wp_magic_quotes() {
...
set_magic_quotes_runtime(true); // <PHP5.3
ini_set('magic_quotes_runtime', true); // >PHP5.3
// atleast WP Specific, if above does not work?
$WP_MAGIC_QUOTES = true;
}
All plugin developers should be then encouraged to stripslashes
*conditionally* based on this attribute which ever is used.
1. First phase (optional) (slight memory overhead but then again WP
has a lot of memory overhead already, and this one is for good cause):
This would make adding external libraries faster: Store untouched
"pure" version of the superglobals to the alternative superglobal so
that one could simply *search/replace* external libraries for $_POST
-> $_SERVER['ORIGINAL_POST']:
function wp_magic_quotes() {
// Currently search & replace with
// stripslashes that does not always work
//
// Following is not pretty, but makes patching
// external libs fast only search / replace:
$_SERVER['ORIGINAL_POST'] = $_POST;
$_SERVER['ORIGINAL_GET'] = $_GET;
...
$_POST = add_magic_quotes( $_POST );
...
}
Both of these first phase ideas are such that does *not* break
backwards compatibility, only improve forward compatibility.
2. Phase get rid of ORIGINAL_POST, ORIGINAL_GET if any, secondly set
the WP_MAGIC_QUOTES = false, then one can "almost" safely remove the
magic quoting. But for those who care about backwards compatibility we
can do same trick as in first phase but for quoted variables:
function wp_magic_quotes() {
$_SERVER['QUOTED_POST'] = add_magic_quotes($_POST);
...
}
Old plugins should simply replace $_POST -> $_SERVER['QUOTED_POST] if
they are not in mood to fix their plugins all the way.
New libraries/plugins could simply use PHP default behavior of _POST -
no more hacks for new libraries!
3. Phase get rid of whole wp_magic_quotes! Mission accomplished.
Thanks,
P. S. please do not only consider phase 1, do it! It costs nothing -
only one variable WP_MAGIC_QUOTES = true and everyone could
conditionally start stripslashing according to this variable.
More information about the wp-hackers
mailing list