magic_quotes_gpc future-proof enhancements
|Reported by:||troydavisson||Owned by:|
As is well documented across the Internet, the magic_quotes_gpc feature is going away in future versions of PHP. WordPress has historically automatically escaped _GET, _POST, _REQUEST and _COOKIE input from users, even if the server doesn't have magic_quotes_gpc turned on. Regardless of the reasons for this, having a way to move forward seems absolutely necessary.
Current issues related to this include (among others):
- maintaining backwards compatibility for those plugin developers who depend on WordPress handling this escaping for them
- giving plugin developers a way to help put magic_quotes_gpc in the past
- giving developers access to the original super globals
- making these super global values read-only so that poorly written plugins/themes don't cause conflicts and problems for other plugins/themes
Attached is a patch which I believe handles this effectively without causing any backwards compatibility issues.
This patch introduces 5 new getter functions for wordpress:
When WordPress first loads, these 5 functions grab the original copies of their respective super globals, undo magic_quotes if it's turned on and then makes the values accessible in a read-only way.
Moving forward, plugin developers can be encouraged to use, for example, wp_input_get('name') rather than $_GETname? . In addition to giving developers a migration path away from the forced magic_quotes_gpc behavior, additional security filters could be done on the given values for further protection.