Conflict with WP-SpamShield plugin

For now PO can be set with wp-spamshield deactivated and activate wp-spamshield later. PO keeps settings.

I can confirm that Wp-Spamshield does something that is not recommended. It modifies the php $_POST array. Which messes with Plugin Organizer and I would imagine other plugins. On the post type page an array is submitted to php with the plugins you have deactivated. That contains an array for each of the roles you have active. The key for those arrays is the role name. Wp-Spamshield changes that array from an associative array to an indexed array. The result is an array with numbered keys instead of the role names. So Plugin Organizer sees it as if you have enabled everything on every role. A plugin should never change the $_POST, $_GET, or $_REQUEST arrays. You should contact the author of Wp-Spamshield and ask them to rethink what they are doing to the $_POST array.

It looks like it’s probably on line 844 of includes/class.security.php where they change the array indexes.

@foomagoo,

Jeff, I’m the lead developer of WP-SpamShield.

A plugin should never change the $_POST, $_GET, or $_REQUEST arrays.

That’s not exactly accurate, and it’s a bit of an amusing thing for you to say, considering your plugin’s main purpose is to interfere with the functionality of other plugins. In our opinion, no plugin should do that, because you’re creating an easy way for people to break plugin functionality. Not to mention, it creates a tech support headache for other plugin developers. Good plugin developers have their functions fire in very specific orders, for very specific reasons.

We’ve coded it like that for a very good reason: To prevent plugins like yours, and specifically Plugin Organizer, from incorrectly altering the functionality of WP-SpamShield.

If you disagree with that, feel free to get in touch with us privately, and we can provide some suggestions for changes to your plugin that will allow it to be more compatible with other plugins. We have a compatibility guide for plugin developers, and there is a form at the bottom you can use to get in touch with us.

For one: there needs to be an easy and well-documented mechanism for other plugins to be whitelisted/opt-out from your plugin, so that it will not affect their functionality, otherwise other plugin devs will come up with their own solutions for blocking your plugin, to prevent it from breaking key functionality.

— Scott

It’s not really an odd thing to say. It’s general knowledge in the web application development field that the $_POST, $_GET, and $_REQUEST arrays should not be modified outside of the PHP core. You are breaking valid functionality in a plugin. You are reindexing a posted array incorrectly because you call array_values on an associative array. Which changes the associative array to an indexed array. You also don’t take multidimensional arrays into account in your code.

Hi Jeff,

Well, it certainly is, considering that your entire plugin alters the functionality of other plugins, without considering that it’s being done without understanding how the other plugin works, or what functionality it might break.

It’s general knowledge in the web application development field that the $_POST, $_GET, and $_REQUEST arrays should not be modified outside of the PHP core.

FALSE. Not sure where you’re getting that from. In security apps, it’s an absolute necessity.

You are breaking valid functionality in a plugin.

Really? You don’t see the irony? ?? I will refer to my previous statement: “your entire plugin alters the functionality of other plugins…”

You are reindexing a posted array incorrectly because you call array_values on an associative array. Which changes the associative array to an indexed array. You also don’t take multidimensional arrays into account in your code.

No, I think you misunderstand…We made those edits a long time ago to create a compatibility fix. If you’ve changed it since then, I’m sorry, but we don’t have the time follow your code changes.

If you provide a way for other plugins to opt-out, we’ll be happy to use that. If you’d like to discuss other compatibility improvements, as I mentioned, you’re welcome to contact us.

– Scott

@stagger-lee,

Unfortunately (at least for now) the two plugins are not compatible. Feel free to contact our tech support if you need any help.

So apparently you don’t understand the difference between a superglobal and wordpress option. If you think it’s good design to change the structure of a superglobal then I would recommend everyone to not use your plugin. That can cause major problems in wordpress or any php application. Preventing a plugin from loading entirely can have bad affects. I’ve never said anything different.

FALSE. Not sure where you’re getting that from. In security apps, it’s an absolute necessity.

I’m getting my information from the 20+ years of experience I have as a web developer. Changing a superglobal in PHP is a hack and bad design. One reason for that is that you have no idea how the variable is structured. And you might end up changing that structure and causing the application to wipe out a database table. Which is essentially what happens to the po_plugins table when your plugin changes the structure of the $_POST array. It sets everything back to default. The $_POST, $_GET, and $_REQUEST arrays are intended to be a way to transfer data from a browser to the server unfiltered outside of the core functionality of PHP. Changing that data makes the environment unpredictable. I’m sorry you can’t take the time to look at the bug you created in your code. I really can’t fix it for you. I’ve already pointed out exactly which line of code is causing it.

@foomagoo

We’ve tried to respond professionally to you, but you don’t seem to want to act like a professional. We’re one of the most experienced WP dev teams out there, been doing web dev and security for over 2 decades ourselves, and have done tech support on literally tens of thousands of WordPress sites.

If you want to make personal attacks, we’re not going to play that game. Your facts are incorrect. If you want to discuss further, then lets do it in private, and act like professionals.

– Scott

So I’m going to mark this and another thread as resolved. We know what the problem is. Wp-Spamshield won’t allow a multidimensional or associative array to be posted to WordPress.

• This reply was modified 7 years, 5 months ago by Jeff Sterup.

@foomagoo

Wp-Spamshield won’t allow a multidimensional or associative array to be posted to WordPress.

That’s not true. Please do not post inaccurate information about WP-SpamShield. Already explained above.

Common people, some solution can you find.

Without Us dealing with plugin core changes.

• This reply was modified 7 years, 5 months ago by Stagger Lee.

Sorry. But I was responding to your “personal attacks” in kind. Though nothing either of us said is really personal. You’ve created a bug that doesn’t allow an associative array to be posted to the ajax endpoint and specifically targeted my plugin by looking for the variables that are posted that begin with PO_. I post an array to the wordpress ajax endpoint that should have the $_POST array come through like this.

Array
(
    [PO_disabled_std_plugin_list] => Array
        (
            [_] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [administrator] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [author] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [contributor] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

        )

    [PO_disabled_mobile_plugin_list] => Array
        (
            [_] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [administrator] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [author] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [contributor] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

        )

    [selectedPostType] => page
    [PO_total_post_count] => 0
    [PO_post_offset] => 0
    [PO_nonce] => dcdae48b15
)

When your plugin is active it comes through like this.

Array
(
    [PO_disabled_std_plugin_list] => Array
        (
            [0] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [1] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [2] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [3] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

        )

    [PO_disabled_mobile_plugin_list] => Array
        (
            [0] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [1] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [2] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

            [3] => Array
                (
                    [0] => autoptimize/autoptimize.php
                )

        )

    [selectedPostType] => page
    [PO_total_post_count] => 0
    [PO_post_offset] => 0
    [PO_nonce] => dcdae48b15
)

Then you say it’s my code that is the problem. I can see in your code that you are intentionally breaking the functionality of my plugin so that it won’t disable yours. By attempting to keep your plugin active you are completely breaking the functionality of Plugin Organizer. So it does look like our plugins are incompatible.

Sorry @stagger-lee. The plugins are incompatible.

Have to remember to disable WP-SpamShield and activate it later when PO is all set and finished.

Man, 3 million of steps when developing. Who can remember them all without writing it down. This one extra step is really not needed.