[wp-hackers] wp_magic_quotes makes me sad panda

Johan Eenfeldt johan.eenfeldt at gmail.com
Wed Sep 29 08:54:57 UTC 2010


On Wed, Sep 29, 2010 at 12:14 AM, Otto <otto at ottodestruct.com> wrote:
> On Tue, Sep 28, 2010 at 4:53 PM, Lox <lox.dev at knc.nc> wrote:
>> 2010/9/27 Gavin Lambert <wphack at mirality.co.nz>
>>
>>> 5. Magic quotes are deprecated (and disabled by default) in PHP 5
>>
>>
>> Hi,
>>
>> That makes me ask: why is Wordpress adding magic quotes whereas it has been
>> recognized to be a "bad practice" in PHP development ?
>
> Older plugins that relied on magic quotes may suddenly break if WP
> starts returning non-MQ values. This could open security issues.

Not just plugins.

Remove that forced MQ and your passwords will no longer match
(http://core.trac.wordpress.org/ticket/13655).

Quite a bit of core WordPress handles strings which might be from user
input, and not all of it is consistent. Are all callers of
wp_insert_user() or the *_metadata() functions aware that strings will
be stripslashed for example?

Are you sure? ;)

Look long enough at this stuff and you WILL find bugs
(http://core.trac.wordpress.org/ticket/14516).

/ Johan


More information about the wp-hackers mailing list