[wp-hackers] Magic quotes "on" forever?

Mark Waterous lists at watero.us
Wed May 5 21:25:41 UTC 2010


Doesn't it seem a little outdated to be doing this when even PHP is removing
the feature from it's core set of directives? Such security issues should be
handled inside of the database abstraction and not on a global scale, but
then I probably just don't understand the implementation due to not seeing
it from a core developers pov.

I just discovered it myself the other day while working on deep integration
of phpBB, and while it was fairly easy to work around it was still a bit of
a glassy eyed look when I found it.
-Mark

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of Otto
Sent: Wednesday, May 05, 2010 11:10 AM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] Magic quotes "on" forever?

On Wed, May 5, 2010 at 12:59 PM, Olivier <autremonde75 at gmail.com> wrote:
> This piece of code makes me think if I understand it well that, in the
> end, quotes are applied to all datas to make things consistant accross
> hosts whatever the magic quotes setting is.
>
> Can you please confirm that my understanding is right and so based on
> that, I have to stripslashes_deep again all datas (without testing the
> get_magic_quotes_gpc as quotes are always applied) before manipulation
> (and then obviously use the prepare before DB insertion to escape
> again the quotes)?

You are basically correct, yes. For consistency, all those are magic
quoted regardless of whatever setting was used anywhere.

You can do a stripslashes_deep on the whole $_POST or whatever you
need to dequote the whole thing and every subarray in it, if you need
to do so.

-Otto



More information about the wp-hackers mailing list