[wp-hackers] wp_magic_quotes makes me sad panda
Lox
lox.dev at knc.nc
Fri Oct 1 22:30:47 UTC 2010
2010/10/1 Peter Westwood <peter.westwood at ftwr.co.uk>
> If you want to test and provide a patch for every single plugin in the repo
> so that it works once this is done and before it is done then we might be
> able to consider this.
>
Lol. Come on, any change can be done over time. Think about the deprecated
functions in WP or how it has been announced that next WP major version
won't support the obsolete PHP4. (
http://wordpress.org/news/2010/07/eol-for-php4-and-mysql4/)
See how PHP has started the move to not use magic_quote_gpc years ago, it is
a progressive move witch isn't finished yet, the option is still there and
has been deprecated only since version 5.3.
But, WP hasn't started the change yet.... That is what is wrong.
> Otherwise you are just flogging a dead horse - we value backwards
> compatibility and our ability to work in as many hosting environments as
> possible.
>
> This is what has made WordPress a successful platform
>
> A project that runs in so many different locations as WordPress does has to
> work with the lowest common denominator of scenarios and can't change just
> because something is a better way to do it now.
>
Come on, as wordpress escapes GPC vars on any hosting environments needing
it, it is then able to unescape those on wrongly configured hosting
environments needing it, making WP as compatible as it is now.
>
> Don't blame us because PHP used to be so broken in this respect :-( we are
> doing the best for the users we can do to keep them secure!
>
I do not blame anyone for how wordpress is. The purpose of my comments on
that subject is simply to have that change *planned*. And yes I am aware
that such a change is a hudge task, not only for plugins, but for wordpress
core. Every simple piece of code has to get reviewed to escape needed vars
and it can be a source of security holes...
So here comes my solution to start the move: provide to plugin devs some
wrapper functions to access unescaped GPC vars and communicate about it.
Cheers
--
Lox
lox.dev at knc.nc
More information about the wp-hackers
mailing list