[wp-hackers] Magic Quoting removal Road Map/Plan

John Blackbourn johnbillion+wp at gmail.com
Fri Jun 10 15:44:30 UTC 2011


On 10 June 2011 16:28, Jari Pennanen <ciantic at oksidi.com> wrote:
> Hi!
>
> Got perhaps better idea for first phase, encourage a wrapper for
> getting user inputs which gives the data always in *non-magic quoted*
> format:
>
>  function wp_get_post($key[, $defaultvalue=null]);
>  function wp_get_get($key[, $defaultvalue=null]);
>  function wp_get_request($key[, $defaultvalue=null]);
>
> These wrappers would allow developers to see when wp_magic_quotes can
> be removed == when most people use these wrapper functions in plugins.

That's fine, but you're straying from the issue at hand. If functions
like this were implemented we are still left with the $_GET and $_POST
superglobals that are currently quoted. The issue is that we cannot
remove quoting from these variables because it introduces a security
vulnerability for every plugin and theme that's been written up until
this point. If we can't remove quoting from the superglobals, this is
a fruitless exercise.


More information about the wp-hackers mailing list