[wp-trac] [WordPress Trac] #17856: magic_quotes_gpc future-proof enhancements

WordPress Trac wp-trac at lists.automattic.com
Tue Jun 21 01:13:45 UTC 2011 

#17856: magic_quotes_gpc future-proof enhancements
--------------------------+-----------------------------
 Reporter:  troydavisson  |      Owner:
     Type:  enhancement   |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  General       |    Version:
 Severity:  normal        |   Keywords:  has-patch
--------------------------+-----------------------------
 As is well documented across the Internet, the magic_quotes_gpc feature is
 going away in future versions of PHP.  WordPress has historically
 automatically escaped _GET, _POST, _REQUEST and _COOKIE input from users,
 even if the server doesn't have magic_quotes_gpc turned on.  Regardless of
 the reasons for this, having a way to move forward seems absolutely
 necessary.

 Current issues related to this include (among others):

 * maintaining backwards compatibility for those plugin developers who
 depend on WordPress handling this escaping for them
 * giving plugin developers a way to help put magic_quotes_gpc in the past
 * giving developers access to the original super globals
 * making these super global values read-only so that poorly written
 plugins/themes don't cause conflicts and problems for other plugins/themes

 ----

 Attached is a patch which I believe handles this effectively without
 causing any backwards compatibility issues.

 This patch introduces 5 new getter functions for wordpress:

 * wp_input_get()
 * wp_input_post()
 * wp_input_get_post()
 * wp_input_cookie()
 * wp_input_server()

 When WordPress first loads, these 5 functions grab the original copies of
 their respective super globals, undo magic_quotes if it's turned on and
 then makes the values accessible in a read-only way.

 Moving forward, plugin developers can be encouraged to use, for example,
 wp_input_get('name') rather than $_GET['name'] .  In addition to giving
 developers a migration path away from the forced magic_quotes_gpc
 behavior, additional security filters could be done on the given values
 for further protection.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/17856>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list