[wp-trac] [WordPress Trac] #18322: The Road to Magic Quotes Sanity

[WordPress Trac]

#18322: The Road to Magic Quotes Sanity
--------------------------+-----------------------------
 Reporter:  ryan          |       Owner:
     Type:  defect (bug)  |      Status:  new
 Priority:  normal        |   Milestone:  Future Release
Component:  General       |     Version:  3.2.1
 Severity:  normal        |  Resolution:
 Keywords:                |
--------------------------+-----------------------------

Comment (by markjaquith):

 Ryan — I think it's futile to hope for a future where we can flip magic
 quotes off. There's a non-negligible chance that we'll introduce security
 issues for the plugins that don't change. And you know they won't. So
 what's the problem we're trying to solve? I think you outlined it here:

 > This is a pain, especially given that some core API expects slashes and
 some doesn't.

 So why not give them a new way to access those superglobals that is non-
 slashed by default? Proposal (for how you'd use it... you can infer the
 implementation):

 {{{
 $foo = _GET( 'bar' ); // OLD: $foo = $_GET['bar'];
 _GET( 'bar', 'newvalue' ); // OLD: $_GET['bar'] = 'newvalue';
 }}}

 And so forth for the other magic-quoted superglobals. Yes, we're doing
 double work in terms of pre-slashing and then unslashing on access... but
 we are already. And this is simpler than remembering to wrap everything
 with {{{stripslashes()}}}. Also, we can do fancy stuff, if we need to, and
 filter superglobal access through this API. Don't have a use case for
 that... but we'd have the option.

 We could do complicated stuff with implementing the ArrayObject interface,
 like Dion's code did... which gives us iteration, etc. But I don't think
 we need to. Frankly, even '''setting''' superglobals is sketchy.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/18322#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software