[wp-hackers] Enforced magic quotes?

Dion Hulse (dd32) wordpress at dd32.id.au
Fri Jun 28 15:40:34 UTC 2013

On 28 June 2013 17:15, David Anderson <david at wordshell.net> wrote:

> Hi,
> Today, after a lot of debugging, I came across a fact that after a decade
> tinkering with WordPress had somehow escaped me... apparently, WordPress
> enforces behaviour as if PHP's (deprecated, now removed) magic_quotes_gpc
> was always on. (Not 'always off', as most (all?) other frameworks... which
> is what I'd merrily assumed for years).
> ...snip..

That's rather unfortunate (that WP took the opposite approach to PHP - PHP
> decided the long-term solution was "always, permanently off"; WP decided
> "always on") - are we stuck with this forever, or is there a plan to
> reverse it at some point?

For a bit of history:
When PHP first introduced the magic_quotes feature, it was permanently on,
Then there was an option to disable it (but recommended NOT to disable
magic quotes). WordPress based on the PHP developers guidelines at the
time, decided to ease the pain for Plugin & Theme developers who possibly
weren't PHP experts, and were not aware of edge case installations, chose
to standardise the PHP Environment to a single "sane" environment,
something developers could rely upon.
However, years later, the core PHP Developers realised their mistake, and
that  defaulting to off was a much more sane approach, and changed it.. Of
course, that has left WordPress in a difficult spot, as Plugins and Themes
RELY upon WordPress to be quoting things, just turning it off causes all
sorts of breakages (slashes in posts, SQL vulnerabilities in old plugins,
and new plugins even, etc) and just isn't possible.
As mentioned in a previous reply, the solution going forward is a new API
and helper functions, it's a issue that's being actively worked upon in
other words.

You probably don't realise it, but, magic_quotes are not the only thing
that WordPress does for developers, just off the top of my head we also
standardise Error reporting levels, register_globals (We force it off by
undoing it's work), various $_SERVER paths and uri's (so many different PHP
configs and server environments cause those indexes to be unset, set
incorrectly, or unreliable), and I'm sure there's even more things I'm

tl;dr: WordPress isn't totally insane :)

More information about the wp-hackers mailing list