[wp-trac] Re: [WordPress Trac] #9640: wp_update_user() blindly calls
add_magic_quotes(), even on objects
WordPress Trac
wp-trac at lists.automattic.com
Thu Apr 30 12:54:04 GMT 2009
#9640: wp_update_user() blindly calls add_magic_quotes(), even on objects
-----------------------------------+----------------------------------------
Reporter: misterbisson | Owner:
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 2.8
Component: Users | Version: 2.8
Severity: normal | Resolution:
Keywords: dev-feedback security |
-----------------------------------+----------------------------------------
Comment(by hakre):
my first patch ignored objects in add_magic_quotes sothat authors using
objects there do not run into problems. leaving it unfixed is at least an
option everytime, but since it was reported here and the userdata
explicitly allows objects, there should be no error thrown. not handling
objects in add_magic_quotes in the sense of not trying to escape those
(just skip objects in there by decision) is most reasonable to me.
my suggestion:
1.) patch add_magic_quotes to not add quotes to objects.
that's it.
argumentation: add_magic_quotes is used with userdata that is able to
contain objects by design (it is made for that).
if you have a problem with the argumentation, then a suggestion is to
create a function called add_magic_quotes_to_userdata($user); and use it
in that case.
this helps at least solving the dilemma. and it leaves space for the other
design issues you raised as well.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9640#comment:19>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list