[wp-hackers] Enforced magic quotes?

David Anderson david at wordshell.net
Fri Jun 28 07:15:36 UTC 2013


Today, after a lot of debugging, I came across a fact that after a 
decade tinkering with WordPress had somehow escaped me... apparently, 
WordPress enforces behaviour as if PHP's (deprecated, now removed) 
magic_quotes_gpc was always on. (Not 'always off', as most (all?) other 
frameworks... which is what I'd merrily assumed for years).

Codex (http://codex.wordpress.org/Function_Reference/stripslashes_deep) 
says that this is " WordPress does this because too much core and plugin 
code has come to rely on the quotes being there".

That's rather unfortunate (that WP took the opposite approach to PHP - 
PHP decided the long-term solution was "always, permanently off"; WP 
decided "always on") - are we stuck with this forever, or is there a 
plan to reverse it at some point? Are sane plugin authors doomed (as it 
says on http://www.php.net/manual/en/security.magicquotes.whynot.php), 
to be permanently having the maintenance/performance burden of WP always 
adding unwanted slashes, and then we remove them?


WordShell - WordPress fast from the CLI - www.wordshell.net

More information about the wp-hackers mailing list