WP Automatically escaping GET and POST etc globals
-
Hello again WP support staff π
Last night I began noticing some oddness with $_GET and friends under a WP plugin page I am working on.
Thing is, the contents were being escaped, SQL insertion style. Looked like PHP Magic Quotes. Sure enough, Magic Quotes ™ was on to my surprise. But things were weird, I would strip the slashes from the parameter I was interested in at the top of the plugin, and then later they would come back…
Now I am not a PHP guru, I use it because I am a C++ guru more or less, so it’s familiar to me syntax wise (and because all of the cool apps do) so I assumed it was simply a scoping deal. I needed to access the parameter in lots of ways and did not want to institute a shadow global for tracking it, so I labored to disable Magic Quotes.
Now quotes are off, but it is as if WP has its own Magic Quotes regime, as if the original was not bad enough (see the Wikipedia Magic Quotes article)
It seems like WP is undoing MQ if necessary and then doing its own automatic escaping, probably mysql_real_esc… to _GET and friends at some arbitrary point within the execution timeline.
A) I thought everyone agreed MQ is a bad strategy, PHP 5.4 removes them, and “the codex” is persistent about escaping your shit, but doesn’t point out that it auto-escapes these things “for” you.
B) What’s going on here? What strategies are available to me? I don’t like coding around WP, but I’d like to at least know precisely when WP does this and if it does this or not in future updates.
Thanks again crew!
- The topic ‘WP Automatically escaping GET and POST etc globals’ is closed to new replies.