[wp-hackers] Escaping post meta values
Ryan McCue
lists at rotorised.com
Thu May 23 05:05:24 UTC 2013
Otto wrote:
> I agree that it's not ideal (and indeed, stupid in a way), but I
> wouldn't go so far as to call it insane.
I'd say that it's definitely insane. SQL escaping should be moved down
the stack as much as possible, and it should be opaque to the point that
I'd have no idea that user meta is stored in an SQL database without
looking at the code.
Escaping the data at such a high level is definitely insane. At the
opposite end of the spectrum, you end up with magic quotes, and I think
we all know why that's a horrible idea.
--
Ryan McCue
<http://ryanmccue.info/>
More information about the wp-hackers
mailing list