问题描述
以下问题:
Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
在WordPress中,即使魔术引号,所有超全局变量都将转义.关闭.
In WordPress, all superglobals are escaped even if magic quotes are off.
因此,请遵循以下答案:
So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
如果我创建了一个插件和一个类来访问原始POST,GET等,这是一个好的解决方案吗?这样的方法,您是否看到任何弊端或问题?
If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?
这是我下面的插件:
class MyPluginRequest{
public static function getPost( $key ){
global $_REAL_POST;
return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
}
}
// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET = $_GET;
$_REAL_POST = $_POST;
$_REAL_COOKIE = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;
然后我每次需要发布未转义的值时都使用MyPluginRequest::getPost( 'submit' );
.
I then use MyPluginRequest::getPost( 'submit' );
every time I need a posted unescaped value.
$wpdb->escape
是期望已经神奇的报价值还是未转义的值?
Does $wpdb->escape
expect an already magic quoted value or an unescaped one?
推荐答案
看起来应该可以正常工作.对于该问题的后半部分,我认为按注释块不推荐使用$wpdb->escape
That looks like it should work fine. On the later part of the question I believe $wpdb->escape
is deprecated, per the comment block
/**
* Do not use, deprecated.
*
* Use esc_sql() or wpdb::prepare() instead.
*
* ...
仔细查看WordPress代码以确定wpdb::prepare
是否期望魔术引用的值使我们陷入了可怕的WordPress代码的泥潭... ...咬舌头<
Looking through the WordPress code to determine if wpdb::prepare
expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<
它看起来像是希望我使用非用引号引起来的字符串,但是,即使我通过测试验证,如果您将其传递给用引号引起来的字符串,也有可能不会两次转义.
It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.
这篇关于获取未转义的POST,而不是WordPress中的魔术引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!