而不是WordPress中的魔术引号

而不是WordPress中的魔术引号

关注
发信
关注(28)粉丝(399)

获取未转义的POST,而不是WordPress中的魔术引号

本文介绍了获取未转义的POST,而不是WordPress中的魔术引号的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

以下问题:

Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

在WordPress中,即使魔术引号,所有超全局变量都将转义.关闭.

In WordPress, all superglobals are escaped even if magic quotes are off.

因此,请遵循以下答案:

So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

如果我创建了一个插件和一个类来访问原始POST,GET等,这是一个好的解决方案吗?这样的方法,您是否看到任何弊端或问题?

If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?

这是我下面的插件:

class MyPluginRequest{
    public static function getPost( $key ){
        global $_REAL_POST;
        return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
    }
}

// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET     = $_GET;
$_REAL_POST    = $_POST;
$_REAL_COOKIE  = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;

然后我每次需要发布未转义的值时都使用MyPluginRequest::getPost( 'submit' );.

I then use MyPluginRequest::getPost( 'submit' ); every time I need a posted unescaped value.

$wpdb->escape是期望已经神奇的报价值还是未转义的值?

Does $wpdb->escape expect an already magic quoted value or an unescaped one?

推荐答案

看起来应该可以正常工作.对于该问题的后半部分,我认为按注释块不推荐使用$wpdb->escape

That looks like it should work fine. On the later part of the question I believe $wpdb->escape is deprecated, per the comment block

/**
 * Do not use, deprecated.
 *
 * Use esc_sql() or wpdb::prepare() instead.
 *
 * ...

仔细查看WordPress代码以确定wpdb::prepare是否期望魔术引用的值使我们陷入了可怕的WordPress代码的泥潭... ...咬舌头<

Looking through the WordPress code to determine if wpdb::prepare expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<

它看起来像是希望我使用非用引号引起来的字符串,但是,即使我通过测试验证,如果您将其传递给用引号引起来的字符串,也有可能不会两次转义.

It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.

这篇关于获取未转义的POST,而不是WordPress中的魔术引号的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-05 19:26
Powered by LMLPHP ©2024 而不是WordPress中的魔术引号 0.030329