Login/Register
Get unescaped POST, not magic quoted values in WordPress
Asked Answered
Solved phpwordpressmagic-quotes-gpc
E

1

1

Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

In WordPress, all superglobals are escaped even if magic quotes are off.

So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?

Here is my plugin below:

class MyPluginRequest{
    public static function getPost( $key ){
        global $_REAL_POST;
        return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
    }
}

// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET     = $_GET;
$_REAL_POST    = $_POST;
$_REAL_COOKIE  = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;

I then use MyPluginRequest::getPost( 'submit' ); every time I need a posted unescaped value.

Does $wpdb->escape expect an already magic quoted value or an unescaped one?

Electromotive answered 15/4, 2014 at 19:2 Comment(0)
T
1

That looks like it should work fine. On the later part of the question I believe $wpdb->escape is deprecated, per the comment block

/**
 * Do not use, deprecated.
 *
 * Use esc_sql() or wpdb::prepare() instead.
 *
 * ...

Looking through the WordPress code to determine if wpdb::prepare expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<

It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.

Tagmeme answered 15/4, 2014 at 20:8 Comment(9)
Just setting up the test has me wanting to blow my brains out; the wordpress code is some of the worst I have seen in open source land.Tagmeme
lol does wpdb::prepare expects magic quoted values? I have digged in to some codes also... yup it is a nightmare... wp_insert_post expects escaped values. wpdb->insert, update, delete does not expect escaped values... man do I have to read each functions i use to determine whether to escape or not?? is there a list somewhere??Electromotive
Probably you should find a wordpress IRC channel for developers or something. Those guys should be able to answer these kind of questions more readily.Tagmeme
I am going to post on wordpress forum. There's probably something we are missing... I shouldn't be that messy to code in wp right? or a lot of programmers are just doing it wrong and many plugins may be vulnerable to sql injection; not properly escaped or having extra slashes in their content? lolElectromotive
idk, the code for wp is really bad. it's a shame to see systems like that becoming so popular. I mean it's nice from a user standpoint, but from a code standpoint, its atrocious!Tagmeme
yup I am realising it... I have started working on it and started to "tolerate" it but then I saw that magic quote mess... I wonder if I should port my wordpress project to drupal 7.Electromotive
I have taken a look at wpdb::prepare and looks like it expects unescaped values as it will escape it for youElectromotive
problem with my request class, it does not seem to work properlyElectromotive
I inputted 'test' "test\" in a textarea and submitted it... in a callback to my add_action('init') the $_REAL_POST have 'test' "test" , the slash have been stripped... i have no idea why. If i output the $_REAL_POST in my main plugin php instead of the init callback, the $_REAL_POST is fine. any clue?Electromotive

© 2022 - 2024 — McMap. All rights reserved.