获取未转义的POST，而不是WordPress中的魔术引号 [英] Get unescaped POST, not magic quoted values in WordPress

问题描述

以下问题:

Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

在WordPress中，即使魔术引号，所有超全局变量都将转义.关闭.

In WordPress, all superglobals are escaped even if magic quotes are off.

因此，请遵循以下答案:

So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

如果我创建了一个插件和一个类来访问原始POST，GET等，这是一个好的解决方案吗?这样的方法，您是否看到任何弊端或问题?

If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?

这是我下面的插件:

class MyPluginRequest{
    public static function getPost( $key ){
        global $_REAL_POST;
        return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
    }
}

// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET     = $_GET;
$_REAL_POST    = $_POST;
$_REAL_COOKIE  = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;

然后我每次需要发布未转义的值时都使用MyPluginRequest::getPost( 'submit' );.

I then use MyPluginRequest::getPost( 'submit' ); every time I need a posted unescaped value.

$wpdb->escape是期望已经神奇的报价值还是未转义的值?

Does $wpdb->escape expect an already magic quoted value or an unescaped one?

推荐答案

看起来应该可以正常工作.对于该问题的后半部分，我认为按注释块不推荐使用$wpdb->escape

That looks like it should work fine. On the later part of the question I believe $wpdb->escape is deprecated, per the comment block

/**
 * Do not use, deprecated.
 *
 * Use esc_sql() or wpdb::prepare() instead.
 *
 * ...

仔细查看WordPress代码以确定wpdb::prepare是否期望魔术引用的值使我们陷入了可怕的WordPress代码的泥潭... ...咬舌头<

Looking through the WordPress code to determine if wpdb::prepare expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<

它看起来像是希望我使用非用引号引起来的字符串，但是，即使我通过测试验证，如果您将其传递给用引号引起来的字符串，也有可能不会两次转义.

It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.

这篇关于获取未转义的POST，而不是WordPress中的魔术引号的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！