[wp-hackers] Magic Quoting removal Road Map/Plan

Peter Westwood peter.westwood at ftwr.co.uk
Fri Jun 10 16:07:26 UTC 2011


On 10 Jun 2011, at 16:46, Jari Pennanen wrote:

> Hi!
> 
> 2011/6/10 John Blackbourn <johnbillion+wp at gmail.com>:
>> That's fine, but you're straying from the issue at hand. If functions
>> like this were implemented we are still left with the $_GET and $_POST
>> superglobals that are currently quoted. The issue is that we cannot
>> remove quoting from these variables because it introduces a security
>> vulnerability for every plugin and theme that's been written up until
>> this point. If we can't remove quoting from the superglobals, this is
>> a fruitless exercise.
> 
> No sir. If everyone starts to use new API we can get rid of $_GET and
> $_POST quoting. Get it? We must push everyone to use new API and when
> in distant future, future of PHP6 maybe, we can get rid of this _GET
> _POST quoting etc.

Nope.

Because that assumes that you can magically ensure that every piece of even non public plugin and theme code gets converted over.

Cheers
-- 
Peter Westwood
http://blog.ftwr.co.uk | http://westi.wordpress.com
C53C F8FC 8796 8508 88D6 C950 54F4 5DCD A834 01C5



More information about the wp-hackers mailing list