[wp-hackers] Magic Quoting removal Road Map/Plan

Jari Pennanen ciantic at oksidi.com
Fri Jun 10 15:28:36 UTC 2011


Hi!

Got perhaps better idea for first phase, encourage a wrapper for
getting user inputs which gives the data always in *non-magic quoted*
format:

  function wp_get_post($key[, $defaultvalue=null]);
  function wp_get_get($key[, $defaultvalue=null]);
  function wp_get_request($key[, $defaultvalue=null]);

These wrappers would allow developers to see when wp_magic_quotes can
be removed == when most people use these wrapper functions in plugins.

Those should be used like this in plugins:

  $a = wp_get_post("something", "notfound");

which would be same as currently as (in WP):

  $a = stripslashes_deep(isset($_POST['something']) ?
$_POST['something'] : 'notfound');

This does not break anything either.

2011/6/10 John Blackbourn <johnbillion+wp at gmail.com>:
> On 10 June 2011 15:57, Jari Pennanen <ciantic at oksidi.com> wrote:
>> Hello!
>>
>> I've been doing plugins and Wordpress themes now for few weeks, and I
>> just discovered that there is nasty ancient relic: MAGIC QUOTING,
>> still enforced in WP. Needless to say it has to be abolished some
>> time. But I found out that there is no plan, or any kind of road map
>> to get rid of it!
>>
>
> Hi Jari,
>
> Welcome to WordPress!
>
> This topic has been discussed at length in the past, most recently in
> March [1]. This specific response from Andrew Nacin [2] sums it up
> well (Andrew is a WordPress core committer).
>
> The single most important thing is consistency - whether we have magic
> quoted variables or non-magic quoted variables - as long we only have
> one or the other then it makes the lives of WordPress plugin
> developers that much easier and their code that much more secure. It's
> important to realise that having magic quoted variables isn't
> inherently bad, the badness comes from inconsistencies between
> environments (which is what WordPress avoids by magic quoting
> everything). If a plugin author forgets a conditional check somewhere
> on a variable and doesn't escape it, it introduces a potential
> security vulnerability (which is one of the main reasons magic quoting
> was deprecated in PHP itself - to achieve consistency).
>
> The code that you included has little benefit over PHP's default
> implementation of magic quotes. The end result is that plugins must
> still perform conditional logic each time they interface with $_GET or
> $_POST variables to see whether the data is magic quoted or not. This
> is exactly what we avoid in the WordPress environment by quoting
> everything.
>
> John
>
> [1] http://groups.google.com/group/wp-hackers/search?group=wp-hackers&q=add_magic_quotes
> [2] http://groups.google.com/group/wp-hackers/msg/5946c2dab52c88e6
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list