Magic Quotes

The following text is taken from PHP.net

http://www.php.net/manual/en/security.magicquotes.why.php

There is no reason to use magic quotes because they are no longer a supported part of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it’s better to update the code instead of turning magic quotes on. So why did this feature exist? Simple, to help prevent SQL Injection. Today developers are better aware of security and end up using database specific escaping mechanisms and/or prepared statements instead of relying upon features like magical quotes.

addslashes() vs mysql_real_escape_string()

The reason why you should use mysql_real_escape_string() is because it’s a “MySQL function” and is created especially for escaping user input before it’s executed in a mysql query, while addslashes() is a “PHP function”. That probably sounded a little weird, but there’s one important difference between the two and it has to do with the use of single- and multi-byte characters. You can still inject databases protected by the addslashes function, but injecting databases protected by mysql_real_escape_string is far more difficult. You can read more about it HERE

Register Globals

The reason why you should NOT use register_globals is because variables become accessible to everyone, which means that in the following example you would be able to set $access to true if it hasn’t been initialized before

<?php

if (isAuthenticated()) { $access = true; }

if ($access == true) {
  include(controlpanel.php);
}

?>

The above code would give you sh#! loads of problems, but if we initialize the variable first by adding the following to the top of the page

$access = false;

…we should be fine even if we have register_globals ON

So, if the Wordpress team have initialized all variables (which they probably have) then you don’t have to worry about the use of globals.

Conclusion

It’s definitely bad practice using any of those 3 functions/features and I would never do it myself. Are you sure you’re working with the latest version of Wordpress? Like someone commented, if you are using the latest version it’s because of laziness or worse it’s still in there. I’ld never use Wordpress for anything other than blogs that doesn’t require much security..

NOTE: This answer was originally posted at StackOverflow.com by Tom