[wp-trac] [WordPress Trac] #21767: Remove stripslashes from API functions
WordPress Trac
noreply at wordpress.org
Tue Feb 12 18:45:21 UTC 2013
#21767: Remove stripslashes from API functions
-------------------------------------------------+-------------------------
Reporter: alexkingorg | Owner:
Type: task (blessed) | Status: new
Priority: normal | Milestone: 3.6
Component: Formatting | Version: 3.4
Severity: normal | Resolution:
Keywords: has-patch needs-testing needs-unit- |
tests 3.6-early |
-------------------------------------------------+-------------------------
Comment (by ryan):
Wondering what havoc would ensue in plugin land if esc_sql() switched to
doing a real escape rather than a weak escape. Core almost always uses it
when actually constructing sql. This is an appropriate use.
wp_create_user() uses esc_sql() to prepare two variables for passing to
wp_insert_user(). addslashes() would have been a better choice. Those two
calls are removed in the patches here since wp_insert_user() will no
longer expect slashed arguments. esc_sql() is also used in
addslashes_gpc(). esc_sql() calls $wpdb->escape(). All of this implies
escaping for the DB when really it is just adding slashes for the purposes
of GPCS back compat. addslashes_gpc() should likely just pull the code
from $wpdb->escape() into itself so as to avoid implications that
addslashes_gpc() is about db escaping.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/21767#comment:65>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list