wp automatically escaping global vars!

This thing is incredible. Php has been telling people for ages that variables should not be automatically escaped, that it was an error to the extent they even removed this feature altogether starting from php 5.4.

Guess what? WordPress has it’s own behavior to escape the global vars on its own! independently from php! And even better, they know it for more than a year and there is no native way to deactivate this!

Before wp is loaded:

var_dump($_GET['var']); //string 'st laurent d'' (length=13)

Single quote at end of string is unescaped.

After wp is loaded:

var_dump($_GET['var']); //string 'st laurent d\'' (length=13)

Single quote at end of string is escaped.

This thing is ridiculous.

Better to know it and get around it using wp’s version of stripslashes:

    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );

Sources

Post a Comment

Your email is never published nor shared. You're allow to say what you want...