[wp-hackers] Magic Quoting removal Road Map/Plan

John Blackbourn johnbillion+wp at gmail.com
Fri Jun 10 15:26:29 UTC 2011


On 10 June 2011 15:57, Jari Pennanen <ciantic at oksidi.com> wrote:
> Hello!
>
> I've been doing plugins and Wordpress themes now for few weeks, and I
> just discovered that there is nasty ancient relic: MAGIC QUOTING,
> still enforced in WP. Needless to say it has to be abolished some
> time. But I found out that there is no plan, or any kind of road map
> to get rid of it!
>

Hi Jari,

Welcome to WordPress!

This topic has been discussed at length in the past, most recently in
March [1]. This specific response from Andrew Nacin [2] sums it up
well (Andrew is a WordPress core committer).

The single most important thing is consistency - whether we have magic
quoted variables or non-magic quoted variables - as long we only have
one or the other then it makes the lives of WordPress plugin
developers that much easier and their code that much more secure. It's
important to realise that having magic quoted variables isn't
inherently bad, the badness comes from inconsistencies between
environments (which is what WordPress avoids by magic quoting
everything). If a plugin author forgets a conditional check somewhere
on a variable and doesn't escape it, it introduces a potential
security vulnerability (which is one of the main reasons magic quoting
was deprecated in PHP itself - to achieve consistency).

The code that you included has little benefit over PHP's default
implementation of magic quotes. The end result is that plugins must
still perform conditional logic each time they interface with $_GET or
$_POST variables to see whether the data is magic quoted or not. This
is exactly what we avoid in the WordPress environment by quoting
everything.

John

[1] http://groups.google.com/group/wp-hackers/search?group=wp-hackers&q=add_magic_quotes
[2] http://groups.google.com/group/wp-hackers/msg/5946c2dab52c88e6


More information about the wp-hackers mailing list