id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc
5791,End the Escape Madness in wp-settings.php,hakre,anonymous,"Mixing things up is well - mixing things up. I know it's very hard, the damn fukne hard way to realize this years later and then confront yourself with an installation-base you just have left all over the planet. I think any PHP coder knows about such issues. One of them for me is the by me so called

magic-quotes-complex.

there was a time when you needed to check at the very beginning of your code wether magic_quotes_gpc was on or off. do you remember? gosh that was a time!

so everybody who had no access to the php configuration put some if clause in their code checking for get_magic_quotes_gpc() and then unslashing the request vars if they were slashed.

then time passed by.

things changed.

php evolved.

it was talked much about php.

at the end of a very long and deep discussion process, php devs decided to throw magic_quotes out of their codebase because it created a lot of chaos while proving no use.

some time ago, some authors thought: hmm how to end the madness? they were very-very clever: not only cheking for by-php-added-slashes and then removing-them-all only to add-slashes-all-over-again. shortly said: escaping the escaping-madess and leaving an ever bigger madness.

dear wordpress devs. when can we end this? i know it's hard to realise but whouldn't it be possible to throw this second escaping all over anything-by-request leaving the programmers a chance to know what kind of data they are dealing with? i don't want to rant but what about providing at least a known version number or a global configuration setting sothat a plugin author knows wether form input is useless-slashed or not? adding slashes at the very beginning does not help anyone, it was a fault to think that it reduces attacks.",enhancement,closed,normal,,General,,normal,maybelater,needs-patch,norbert@…