[wp-trac] [WordPress Trac] #18322: The Road to Magic Quotes Sanity

WordPress Trac noreply at wordpress.org
Sun Jan 28 16:20:21 UTC 2018 

#18322: The Road to Magic Quotes Sanity
--------------------------------------+-----------------------------
 Reporter:  ryan                      |       Owner:
     Type:  defect (bug)              |      Status:  new
 Priority:  normal                    |   Milestone:  Future Release
Component:  Bootstrap/Load            |     Version:  3.2.1
 Severity:  normal                    |  Resolution:
 Keywords:  needs-patch dev-feedback  |     Focuses:
--------------------------------------+-----------------------------

Comment (by NathanAtmoz):

 There's been [https://externals.io/messages/100087 discussion] that the
 super globals might become read-only in PHP8. While this is a long way off
 and certainly not a certainty, the idea of immutable super globals is
 intriguing.

 The attached patch creates a new class that stores the super globals
 before `wp_magic_quotes()` is called, so the data is all unslashed. It
 also adds some helper function to get the data, but there's no way to
 modify the data - ensuring that the data is always unslashed.

 This would allow core a way forward by offering an API to get the
 unslashed data but still maintaining the quoted super globals. Unsupported
 plugins that were written to work with the actual PHP super globals would
 still work and not have security compromised. Supported plugins could
 change to use the new API if they want to work exclusively with unslashed
 data.

 In core, the new way to access the super globals would be:

 {{{
 // Old way
 if( isset( $_POST[ 'var' ] ) ) {
   do_something_with( $_POST[ 'var' ] );
 }

 // New way
 if( ! is_null( $var = _POST( 'var' ) ) ) {
   do_something_with( $var );
 }
 }}}
 and it would be up to each individual case to decide if it should be
 slashed before using. This also has the added benefit of not quoting and
 unquoting unnecessarily.

 The downside is obviously that there will be two sets of the super globals
 available: the actual super globals that have been slashed and the un-
 modified, unslashed, actually-not super globals.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/18322#comment:48>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list