[wp-hackers] add_magic_quotes() Plans for removal?

Kevin Newman CaptainN at unFocus.com
Mon Mar 7 14:58:30 UTC 2011


I recently wrestled with the same problem. I checked the php setting 
(get_ini), and failed to understand why everything is still escaped, 
even when the php.ini setting shows it was clearly disabled (until I 
found the actual function that does it, and some really really old forum 
posts).

Suggested fixes:

1. When you re-escape everything, also set the magic quotes ini setting. 
If setting the php.ini flag doesn't get reflected in get_ini, at least 
add a WP function to check whether this is disabled (or add it to some 
document somewhere).

2. Add a wp-config setting that simply turns off the WP auto-magic-quotes.

I understand why it was done, and why there has been no effort to change 
it, but if PHP core can go through the pain, surely WordPress can handle 
the change too.

Thanks,

Kevin N.


On 3/7/2011 7:33 AM, Ollie Read wrote:
> Hello,
>
> I've had a look through the archives and could only find a few entries 
> about this particular issue.
>
> I understand that when this code was introduced, PHP was pre-magic 
> quote deprecation and so many plugins have now been coded to allow for 
> the automatic escaping of incoming data. What I don't understand is 
> why this particular piece of functionality is still there.
>
> As of WordPress 3.1, I have noticed that $_POST, $_GET, $_COOKIE and 
> $_SERVER are all escaped with no reasoning or regards for php.ini 
> settings. For instance, I am running PHP 5.3.4 so the magic_quotes 
> option doesn't even exist within php.ini. I've created a small plugin 
> (WP-NMMQ) so there is some way to reverse this but it's only really a 
> temporary hack.
>
> Perhaps it is worth looking into removing this piece of code in future 
> releases and warning the developers before hand, that as of this 
> version, there will need to be certain modifications to the plugins. 
> Better yet, if you feel that the code should remain (not sure why) 
> then perhaps an option should be in place to turn this on or off? Or 
> even have the system automatically detect whether or not PHP is 5.3+ 
> and disable?
>
> If it was at all possible, I'd be happy to contribute code to address 
> these issues and hopefully provide one of the fixes I suggested, but 
> I'm not entirely sure how one would go about doing so.
>
> Also, apologies if I have dragged up an old topic that was answered 
> previously, but the archive is rather large.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list