[wp-hackers] add_magic_quotes() Plans for removal?

Ollie Read me at ollieread.com
Tue Mar 8 08:24:36 UTC 2011

Date: Mon, 7 Mar 2011 15:25:57 +0000
> From: Peter Westwood<peter.westwood at ftwr.co.uk>
> Subject: Re: [wp-hackers] add_magic_quotes() Plans for removal?
> To: wp-hackers at lists.automattic.com
> Message-ID:<B1E74F10-4B1D-4C66-8BF2-BAA22210AC64 at ftwr.co.uk>
> Content-Type: text/plain; charset=us-ascii
> On 7 Mar 2011, at 14:58, Kevin Newman wrote:
>> I recently wrestled with the same problem. I checked the php setting (get_ini), and failed to understand why everything is still escaped, even when the php.ini setting shows it was clearly disabled (until I found the actual function that does it, and some really really old forum posts).
>> Suggested fixes:
>> 1. When you re-escape everything, also set the magic quotes ini setting. If setting the php.ini flag doesn't get reflected in get_ini, at least add a WP function to check whether this is disabled (or add it to some document somewhere).
>> 2. Add a wp-config setting that simply turns off the WP auto-magic-quotes.
>> I understand why it was done, and why there has been no effort to change it, but if PHP core can go through the pain, surely WordPress can handle the change too.
> As has been said in response to previous threads on this subject.
> We would love to remove this code but we can't without opening up numerous possible security issues in plugins which unfortunately rely on it.
> If you want to go through and review every plugin in the plugin repo.
> Create patches and get them accepted by the plugin authors.
> Then we can consider removing this code. Until then it is not a good idea.
> Cheers
I understand that a lot of plugins use this method, and without it, 
would be open to security holes, but providing fair enough warning is 
given to plugin developers, and WordPress users a like, then if anyone 
manages to leave a security flaw open, then it's their own fault for not 
heeding the warnings.

The fact that a lot of plugins rely on this method is bad enough, it's 
bad coding practise. I recently wrote, and submitted a plugin called 
WP-NMMQ which undoes this, there is going to be an update soon to fix 
some issues with it, but I don't see why removing it is so bad.


More information about the wp-hackers mailing list