phpwordpressmagic-quotes-gpc

Get unescaped POST, not magic quoted values in WordPress


Following the question: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

In WordPress, all superglobals are escaped even if magic quotes are off.

So, following this answer: With "magic quotes" disabled, why does PHP/WordPress continue to auto-escape my POST data?

If I create a plugin and a class to access raw POST, GET, etc., is it a good solution? Do you see any drawbacks, issues whatsoever in such an approach?

Here is my plugin below:

class MyPluginRequest{
    public static function getPost( $key ){
        global $_REAL_POST;
        return isset( $_REAL_POST[ $key ] )? $_REAL_POST[ $key ] : FALSE ;
    }
}

// A hack to cope with un-configurable call to wp_magic_quotes
// E.G. Make the original $_POST available through a global $_REAL_POST
global $_REAL_GET, $_REAL_POST, $_REAL_COOKIE, $_REAL_REQUEST;
$_REAL_GET     = $_GET;
$_REAL_POST    = $_POST;
$_REAL_COOKIE  = $_COOKIE;
$_REAL_REQUEST = $_REQUEST;

I then use MyPluginRequest::getPost( 'submit' ); every time I need a posted unescaped value.

Does $wpdb->escape expect an already magic quoted value or an unescaped one?


Solution

  • That looks like it should work fine. On the later part of the question I believe $wpdb->escape is deprecated, per the comment block

    /**
     * Do not use, deprecated.
     *
     * Use esc_sql() or wpdb::prepare() instead.
     *
     * ...
    

    Looking through the WordPress code to determine if wpdb::prepare expects magic quoted value leads us into a quagmire of horrid WordPress code... >bites tongue<

    It looks like it expects non-magic-quoted strings to me, but there's a chance it won't double escape if you pass it a magic quoted string, though I'd verify with a test.