Make WordPress Core

Opened 14 years ago

Closed 11 years ago

Last modified 6 months ago

#5791 closed enhancement (maybelater)

End the Escape Madness in wp-settings.php

Reported by: hakre Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: General Keywords: needs-patch
Focuses: Cc:


Mixing things up is well - mixing things up. I know it's very hard, the damn fukne hard way to realize this years later and then confront yourself with an installation-base you just have left all over the planet. I think any PHP coder knows about such issues. One of them for me is the by me so called


there was a time when you needed to check at the very beginning of your code wether magic_quotes_gpc was on or off. do you remember? gosh that was a time!

so everybody who had no access to the php configuration put some if clause in their code checking for get_magic_quotes_gpc() and then unslashing the request vars if they were slashed.

then time passed by.

things changed.

php evolved.

it was talked much about php.

at the end of a very long and deep discussion process, php devs decided to throw magic_quotes out of their codebase because it created a lot of chaos while proving no use.

some time ago, some authors thought: hmm how to end the madness? they were very-very clever: not only cheking for by-php-added-slashes and then removing-them-all only to add-slashes-all-over-again. shortly said: escaping the escaping-madess and leaving an ever bigger madness.

dear wordpress devs. when can we end this? i know it's hard to realise but whouldn't it be possible to throw this second escaping all over anything-by-request leaving the programmers a chance to know what kind of data they are dealing with? i don't want to rant but what about providing at least a known version number or a global configuration setting sothat a plugin author knows wether form input is useless-slashed or not? adding slashes at the very beginning does not help anyone, it was a fault to think that it reduces attacks.

Change History (10)

#1 @darkdragon
14 years ago

  • Type changed from defect to enhancement
  1. Magic quotes is removed in PHP 6, WordPress supports 4.3, therefore the magic quotes is unlikely to be removed any time soon.
  2. The reason the slashes are added is so that plugins don't have to check, they automatically know that all input from POST, GET have slashes and can unslash for their purposes.

There are a few issues with the way magic quotes is handled, but that code has been battle tested for quite a while now. I agree it could be simplified, but that is about it.

#2 @ryan
14 years ago

I'd love to remove the escaping, but that would cause huge back compat problems for plugins. Maybe someday, but it will take a big, coordinated effort.

#3 @hakre
14 years ago

That's why I suggested to have a kind of global flag that can be checked or a function that always returns the unescaped data. Then plugin authors can migrate (never will everyone update all the same time) and wordpress can as well.

#4 @Denis-de-Bernardy
13 years ago

maybe one day. :-)

#5 @Denis-de-Bernardy
13 years ago

  • Keywords needs-patch added
  • Milestone changed from 2.9 to Future Release

#6 @norbertm
11 years ago

  • Cc norbert@… added

#7 @dd32
11 years ago

  • Milestone Future Release deleted
  • Resolution set to maybelater
  • Status changed from new to closed

#8 @hakre
11 years ago

Related: #17018

#10 @hakre
8 years ago

Needs review after [23416] / #21767 - Further related: #22325,

Note: See TracTickets for help on using tickets.