[wp-hackers] add_magic_quotes() Plans for removal?

Ollie Read me at ollieread.com
Mon Mar 7 12:33:51 UTC 2011


I've had a look through the archives and could only find a few entries 
about this particular issue.

I understand that when this code was introduced, PHP was pre-magic quote 
deprecation and so many plugins have now been coded to allow for the 
automatic escaping of incoming data. What I don't understand is why this 
particular piece of functionality is still there.

As of WordPress 3.1, I have noticed that $_POST, $_GET, $_COOKIE and 
$_SERVER are all escaped with no reasoning or regards for php.ini 
settings. For instance, I am running PHP 5.3.4 so the magic_quotes 
option doesn't even exist within php.ini. I've created a small plugin 
(WP-NMMQ) so there is some way to reverse this but it's only really a 
temporary hack.

Perhaps it is worth looking into removing this piece of code in future 
releases and warning the developers before hand, that as of this 
version, there will need to be certain modifications to the plugins. 
Better yet, if you feel that the code should remain (not sure why) then 
perhaps an option should be in place to turn this on or off? Or even 
have the system automatically detect whether or not PHP is 5.3+ and disable?

If it was at all possible, I'd be happy to contribute code to address 
these issues and hopefully provide one of the fixes I suggested, but I'm 
not entirely sure how one would go about doing so.

Also, apologies if I have dragged up an old topic that was answered 
previously, but the archive is rather large.

More information about the wp-hackers mailing list