許多開(kāi)發(fā)人員不知道的一件事是,WordPress自動(dòng)將魔術(shù)引號(hào)添加到請(qǐng)求變量中。這意味著所有引號(hào),反斜杠和空字節(jié)字符都將以反斜杠轉(zhuǎn)義。
即使您在php.ini中禁用了魔術(shù)引號(hào),WordPress仍將反引號(hào)應(yīng)用于$ _GET,$ _ POST,$ _ COOKIE和其他超全局變量。如果您發(fā)現(xiàn)輸入數(shù)據(jù)中出現(xiàn)意外的斜線,這就是原因。
啟用魔術(shù)引號(hào)的功能稱為wp_magic_quotes()。在WordPress完成加載插件后不久,它就在中聲明/wp-includes/load.php并調(diào)用了/wp-settings.php。
/**
* Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
*
* Also forces $_REQUEST to be $_GET + $_POST. If $_SERVER, $_COOKIE,
* or $_ENV are needed, use those superglobals directly.
*
* @access private
* @since 3.0.0
*/
function wp_magic_quotes() {
// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep( $_GET );
$_POST = stripslashes_deep( $_POST );
$_COOKIE = stripslashes_deep( $_COOKIE );
}
// Escape with wpdb.
$_GET = add_magic_quotes( $_GET );
$_POST = add_magic_quotes( $_POST );
$_COOKIE = add_magic_quotes( $_COOKIE );
$_SERVER = add_magic_quotes( $_SERVER );
// Force REQUEST to be GET + POST.
$_REQUEST = array_merge( $_GET, $_POST );
}那么,如何訪問(wèn)干凈,未轉(zhuǎn)義的數(shù)據(jù)呢?不幸的是,不編輯核心文件就不可能完全關(guān)閉WordPress魔術(shù)引號(hào)。但是,由于WordPress?在所有插件加載后添加了引號(hào),因此您可以在插件加載時(shí)(或在“ plugins_loaded”操作中)簡(jiǎn)單地獲取未修改的變量,并存儲(chǔ)本地副本供自己使用。這是一個(gè)例子:
class MyExamplePlugin {
//Local copies of the PHP superglobals.
private $get;
private $post;
private $cookie;
public function __construct() {
/* ... Other plugin code ... */
add_action('plugins_loaded', array($this, 'captureRequestVars'));
}
public function captureRequestVars() {
//Store the original GET and POST data + cookies.
$this->get = $_GET;
$this->post = $_POST;
$this->cookie = $_COOKIE;
//If magic quotes are actually enabled in PHP,
//we'll need to remove the slashes.
if ( get_magic_quotes_gpc() ) {
$this->get = stripslashes_deep($this->get);
$this->post = stripslashes_deep($this->post);
$this->cookie = stripslashes_deep($this->cookie);
}
}
public function doSomethingWithInput() {
/* ... */
//Use the internal copy of $_GET.
$something = $this->get['something'];
/* ... */
}
}
$myExamplePlugin = new MyExamplePlugin();現(xiàn)在您可能會(huì)想知道:為什么可以繼續(xù)按常規(guī)使用它們并僅stripslashes()在任何輸入數(shù)據(jù)上運(yùn)行時(shí),復(fù)制內(nèi)置PHP變量會(huì)遇到所有麻煩?有以下幾個(gè)原因:
- 遲早,您將忘記給
stripslashes()某個(gè)地方打電話。這可能導(dǎo)致難以發(fā)現(xiàn)的錯(cuò)誤。 - 代碼重復(fù)。當(dāng)您可以將反斜杠代碼放在一個(gè)地方時(shí),為什么還要將其擴(kuò)展到整個(gè)代碼庫(kù)中呢?
- 前向兼容性。如果WordPress團(tuán)隊(duì)決定停止仿效此已棄用的PHP錯(cuò)誤功能,則不加選擇地應(yīng)用于
stripslashes()所有輸入數(shù)據(jù)的插件和主題將突然中斷。
就是說(shuō),我不會(huì)指望WordPress很快就會(huì)放棄這一“功能”。這是向后兼容的問(wèn)題,有時(shí)WordPress似乎認(rèn)為兼容性比鼓勵(lì)良好的編程習(xí)慣更重要。
來(lái)源于: https://w-shadow.com/blog/2012/11/13/wordpress-magic-quotes/
