id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
17856,magic_quotes_gpc future-proof enhancements,troydavisson,,"As is well documented across the Internet, the magic_quotes_gpc feature is going away in future versions of PHP.  WordPress has historically automatically escaped _GET, _POST, _REQUEST and _COOKIE input from users, even if the server doesn't have magic_quotes_gpc turned on.  Regardless of the reasons for this, having a way to move forward seems absolutely necessary.

Current issues related to this include (among others):

* maintaining backwards compatibility for those plugin developers who depend on WordPress handling this escaping for them
* giving plugin developers a way to help put magic_quotes_gpc in the past
* giving developers access to the original super globals
* making these super global values read-only so that poorly written plugins/themes don't cause conflicts and problems for other plugins/themes

----

Attached is a patch which I believe handles this effectively without causing any backwards compatibility issues.

This patch introduces 5 new getter functions for wordpress:

* wp_input_get()
* wp_input_post()
* wp_input_get_post()
* wp_input_cookie()
* wp_input_server()

When WordPress first loads, these 5 functions grab the original copies of their respective super globals, undo magic_quotes if it's turned on and then makes the values accessible in a read-only way.

Moving forward, plugin developers can be encouraged to use, for example, wp_input_get('name') rather than $_GET['name'] .  In addition to giving developers a migration path away from the forced magic_quotes_gpc behavior, additional security filters could be done on the given values for further protection.",enhancement,new,normal,Awaiting Review,General,,normal,,has-patch,troy.davisson@…