[wp-hackers] add_magic_quotes() Plans for removal?

Andrew Nacin wp at andrewnacin.com
Tue Mar 8 08:50:46 UTC 2011


On Tue, Mar 8, 2011 at 3:24 AM, Ollie Read <me at ollieread.com> wrote:

> I understand that a lot of plugins use this method, and without it, would
> be open to security holes, but providing fair enough warning is given to
> plugin developers, and WordPress users a like, then if anyone manages to
> leave a security flaw open, then it's their own fault for not heeding the
> warnings.
>

Not really, no. We don't make changes like that. Hypotheticals are fine and
dandy until millions of sites are mass-exploited through SQL injections
that, yes, we would have directly caused. And, yes, PHP indirectly caused.

We didn't invent magic quotes, and we implemented them back when they
weren't deprecated. Not because we liked them, but because we needed
standardization. Don't shoot the messenger (or implementer). In hindsight?
Sure, bad idea implementing it, just as it was a horrible "feature" that
should never have been written. Anything we can do now? No, not for a long
time. We're stuck with it.

This is from an email to wp-hackers [0] in May 2010, written by John
Blackbourn. As a summary of the situation, it's simply excellent: --

This issue was raised (in a rather less constructive manner) on Trac
back in July http://core.trac.wordpress.org/ticket/10452 .

The general concensus (Ryan, Lloyd, Dion) was the same as what Westi
and Otto have just mentioned, that it would be great to remove the
magic quote emulation but the issues with backward compatibility are
too great. There are simply too many plugins out there that expect
escaped data that it would be asking for trouble.

Additionally, removing magic quote emulation would mean that plugins
would have to go back to checking for get_magic_quotes_gpc() (or a
similar WordPress function) and the whole reason WordPress emulates
magic quotes in the first place is to avoid this. So maybe we're stuck
with this forever?

I think more important is consistency, and that's what we've got at
the moment. Everything is magic quoted, and everyone knows this (and
if they don't they soon find out), so we're ok.

[0] http://lists.automattic.com/pipermail/wp-hackers/2010-May/031793.html


More information about the wp-hackers mailing list