WordPress.org

Make WordPress Core

Opened 2 years ago

Closed 2 years ago

#36438 closed enhancement (duplicate)

Address Magic Quotes Problem with New Methods

Reported by: MikeSchinkel Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.6
Component: General Keywords:
Focuses: Cc:

Description

Obviously the magic quotes issue has been a major headache over the years. But it can't be fixed without breaking backward compatibility. Or can it?

I'd like to propose the addition of some static methods on the WP class to provide an alternative free of magic quotes that we could use to slowly replace the need for using wp_slash() inside so many core functions. To include:

WP::POST()     // An unslashed version of $_POST
WP::GET()      // An unslashed version of $_GET
WP::REQUEST()  // An unslashed version of $_REQUEST

These can be set once early in wp-settings.php and then we could slowly replace any reference to $_POST, $_GET and $_REQUEST inside core that is followed by a wp_unslash().

Further, we could introduce alternatives to wp_insert_post, wp_update_post, update_post_meta, wp_insert_term, wp_insert_user, et. al. that do not expect slashed data and recommend against using the old ones in new themes and plugins:

WP::insert_post()   
WP::update_post()   
WP::update_post_meta() 
WP::insert_term()   
WP::insert_user() 
// And so on...

The benefits of this will be to provide a rational path forward so that we are not caught with our pants down again on a future new feature, and to make it much easier for most people to deal with this issue when they need access to $_POST, $_GET and $_REQUEST.

I'll be happy to add a patch if the core team is interested in pursuing this.

Change History (1)

#1 @dd32
2 years ago

  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed

A lot of this is covered in #18322 and #22325

Marking this as a duplicate as we don't need a 3rd ticket for it.

Note: See TracTickets for help on using tickets.