End the Escape Madness in wp-settings.php

[hakre]

Mixing things up is well - mixing things up. I know it's very hard, the damn fukne hard way to realize this years later and then confront yourself with an installation-base you just have left all over the planet. I think any PHP coder knows about such issues. One of them for me is the by me so called

magic-quotes-complex.

there was a time when you needed to check at the very beginning of your code wether magic_quotes_gpc was on or off. do you remember? gosh that was a time!

so everybody who had no access to the php configuration put some if clause in their code checking for get_magic_quotes_gpc() and then unslashing the request vars if they were slashed.

then time passed by.

things changed.

php evolved.

it was talked much about php.

at the end of a very long and deep discussion process, php devs decided to throw magic_quotes out of their codebase because it created a lot of chaos while proving no use.

some time ago, some authors thought: hmm how to end the madness? they were very-very clever: not only cheking for by-php-added-slashes and then removing-them-all only to add-slashes-all-over-again. shortly said: escaping the escaping-madess and leaving an ever bigger madness.

dear wordpress devs. when can we end this? i know it's hard to realise but whouldn't it be possible to throw this second escaping all over anything-by-request leaving the programmers a chance to know what kind of data they are dealing with? i don't want to rant but what about providing at least a known version number or a global configuration setting sothat a plugin author knows wether form input is useless-slashed or not? adding slashes at the very beginning does not help anyone, it was a fault to think that it reduces attacks.

[darkdragon]

1. Magic quotes is removed in PHP 6, WordPress supports 4.3, therefore the magic quotes is unlikely to be removed any time soon.
2. The reason the slashes are added is so that plugins don't have to check, they automatically know that all input from POST, GET have slashes and can unslash for their purposes.

There are a few issues with the way magic quotes is handled, but that code has been battle tested for quite a while now. I agree it could be simplified, but that is about it.

[ryan]

I'd love to remove the escaping, but that would cause huge back compat problems for plugins. Maybe someday, but it will take a big, coordinated effort.

[hakre]

That's why I suggested to have a kind of global flag that can be checked or a function that always returns the unescaped data. Then plugin authors can migrate (never will everyone update all the same time) and wordpress can as well.

[Denis-de-Bernardy]

maybe one day. :-)

[hakre]

Related: #17018

[hakre]

Related: #18322, #10360, #5791

[hakre]

Needs review after [23416] / #21767 - Further related: #22325,