[wp-hackers] add_magic_quotes() Plans for removal?
me at ollieread.com
Tue Mar 8 09:07:27 UTC 2011
I completely understand that there would be many security issues that
arise because of this, but the biggest issue I've had with this, is the
fact that it actually clashes with other functionality within the site.
The documentation recommends that we use the WPDB object for database
queries, as creating another separate connection to the database would
be a tad silly. Well, if we were to use, say $wpdb->insert() or
$wpdb->update(), then the $_POST data would need to be unescaped as
these functions will escape, again, before inserting. So at the moment,
we're having to write code to remove slashes from these variables, which
is then almost instantly undone by the WPDB object which adds them back
again, for database insertion.
I recently had a plugin accepted to the directory called WP-NMMQ (no
more magic quotes) and while it is currently very basic, I intend to
make some modifications and promote this plugin to help get plugin
developers to not rely on this built in function. Do you think that if
enough developers and individuals backed this, and made the appropriate
modifications, this would be something you'd approach again in the future?
Also, as someone earlier suggested, you don't have to remove it, but
provide an option to remove the slashes, which could be placed at the
top of the plugin file (which my plugin will provide), and then later
move it to an option within the settings. I'd be happy to work up a
patch to come to some sort of middle ground, where the function would be
used as default, but provide developers with the functionality to
disable for a particular file and/or plugin.
Again, I'm aware that of the ramifications of removing such
functionality, and I mean no disrespect to any of the core developers as
WordPress is truly an amazing platform, but without bringing the
specific issues into this post, I have noticed a few other issues which
appear to have come around because of new tech/versions. And as I've
mentioned before, rather than just sit and complain about these issues,
I'd be happy to contribute towards solving them, even if the code was
only reviewed by yourselves and taken into consideration for the future.
On 08/03/2011 08:50, Andrew Nacin wrote:
> On Tue, Mar 8, 2011 at 3:24 AM, Ollie Read <me at ollieread.com
> <mailto:me at ollieread.com>> wrote:
> I understand that a lot of plugins use this method, and without
> it, would be open to security holes, but providing fair enough
> warning is given to plugin developers, and WordPress users a like,
> then if anyone manages to leave a security flaw open, then it's
> their own fault for not heeding the warnings.
> Not really, no. We don't make changes like that. Hypotheticals are
> fine and dandy until millions of sites are mass-exploited through SQL
> injections that, yes, we would have directly caused. And, yes, PHP
> indirectly caused.
> We didn't invent magic quotes, and we implemented them back when they
> weren't deprecated. Not because we liked them, but because we needed
> standardization. Don't shoot the messenger (or implementer). In
> hindsight? Sure, bad idea implementing it, just as it was a horrible
> "feature" that should never have been written. Anything we can do now?
> No, not for a long time. We're stuck with it.
> This is from an email to wp-hackers  in May 2010, written by John
> Blackbourn. As a summary of the situation, it's simply excellent: --
> This issue was raised (in a rather less constructive manner) on Trac
> back in July http://core.trac.wordpress.org/ticket/10452 .
> The general concensus (Ryan, Lloyd, Dion) was the same as what Westi
> and Otto have just mentioned, that it would be great to remove the
> magic quote emulation but the issues with backward compatibility are
> too great. There are simply too many plugins out there that expect
> escaped data that it would be asking for trouble.
> Additionally, removing magic quote emulation would mean that plugins
> would have to go back to checking for get_magic_quotes_gpc() (or a
> similar WordPress function) and the whole reason WordPress emulates
> magic quotes in the first place is to avoid this. So maybe we're stuck
> with this forever?
> I think more important is consistency, and that's what we've got at
> the moment. Everything is magic quoted, and everyone knows this (and
> if they don't they soon find out), so we're ok.
>  http://lists.automattic.com/pipermail/wp-hackers/2010-May/031793.html
More information about the wp-hackers