[wp-trac] [WordPress Trac] #5791: End the Escape Madness in wp-settings.php

WordPress Trac wp-trac at lists.automattic.com
Thu Feb 7 08:49:09 GMT 2008 

#5791: End the Escape Madness in wp-settings.php
---------------------+------------------------------------------------------
 Reporter:  hakre    |       Owner:  anonymous
     Type:  defect   |      Status:  new      
 Priority:  normal   |   Milestone:  2.6      
Component:  General  |     Version:           
 Severity:  normal   |    Keywords:           
---------------------+------------------------------------------------------
 Mixing things up is well - mixing things up. I know it's very hard, the
 damn fukne hard way to realize this years later and then confront yourself
 with an installation-base you just have left all over the planet. I think
 any PHP coder knows about such issues. One of them for me is the by me so
 called

 magic-quotes-complex.

 there was a time when you needed to check at the very beginning of your
 code wether magic_quotes_gpc was on or off. do you remember? gosh that was
 a time!

 so everybody who had no access to the php configuration put some if clause
 in their code checking for get_magic_quotes_gpc() and then unslashing the
 request vars if they were slashed.

 then time passed by.

 things changed.

 php evolved.

 it was talked much about php.

 at the end of a very long and deep discussion process, php devs decided to
 throw magic_quotes out of their codebase because it created a lot of chaos
 while proving no use.

 some time ago, some authors thought: hmm how to end the madness? they were
 very-very clever: not only cheking for by-php-added-slashes and then
 removing-them-all only to add-slashes-all-over-again. shortly said:
 escaping the escaping-madess and leaving an ever bigger madness.

 dear wordpress devs. when can we end this? i know it's hard to realise but
 whouldn't it be possible to throw this second escaping all over anything-
 by-request leaving the programmers a chance to know what kind of data they
 are dealing with? i don't want to rant but what about providing at least a
 known version number or a global configuration setting sothat a plugin
 author knows wether form input is useless-slashed or not? adding slashes
 at the very beginning does not help anyone, it was a fault to think that
 it reduces attacks.

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5791>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list