Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
In WordPress, all superglobals are escaped even if magic quotes are off.
So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?
If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?
Here is my plugin below:
class MyPluginRequest{
public static function getPost( $key ){
global $_REAL_POST;
return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
}
}
// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET = $_GET;
$_REAL_POST = $_POST;
$_REAL_COOKIE = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;
I then use MyPluginRequest::getPost( 'submit' );
every time I need a posted unescaped value.
Does $wpdb->escape
expect an already magic quoted value or an unescaped one?
That looks like it should work fine. On the later part of the question I believe $wpdb->escape
is deprecated, per the comment block
/**
* Do not use, deprecated.
*
* Use esc_sql() or wpdb::prepare() instead.
*
* ...
Looking through the WordPress code to determine if wpdb::prepare
expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<
It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.