Escaping Strings In WordPress
-
I’ve been developing a WordPress plugin and something has been puzzling me… No matter what the magic_quotes_gpc directive is set to, strings still get escaped automatically. Here’s an example:
<?php
/*
Plugin Name: Test
Plugin URI: https://www.www.ads-software.com
Description: Example plugin.
Author: ZephyrWest
Version: 0.1
Author URI: https://jlao.wordpress.com
*/function asdf_add_menus() {
add_management_page('asdf', 'asdf', 8, 'asdf', 'asdf_add_menu');
}add_action('admin_menu', 'asdf_add_menus');
function asdf_add_menu() {
echo '<div class="wrap">';if( isset($_POST['submitme']) ) {
echo $_POST['stuff'];
}echo '
<form method="post">
<input type="text" name="stuff" />
<span class="submit"><input type="submit" name="submitme" value="submit" /></span>
</form>';echo "magic_quotes_gpc: ";
echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';echo '</div>';
}
?>I ran the plugin multiple times with magic_quotes_gpc set to “On” and “Off” and in both cases, the string entered was escaped! And yes, I did restart Apache and PHP. To make sure, I wrote another script (non-Wordpress plugin) to test it out:
<html>
<head>
<title>Untitled Document</title>
</head><body onLoad="getElementById(stuff).focus()">
<?php
if(isset($_POST['push_me'])) {
echo '<p>' . $_POST['stuff'] . '</p>';
}
?><form method="post">
<input type="text" name="stuff" id="stuff" />
<input type="submit" name="push_me" value="foobar" />
</form><?php
echo "magic_quotes_gpc: ";
echo get_magic_quotes_gpc() ? 'TRUE' : 'FALSE';
?>
</body>
</html>This worked correctly. Can anybody explain why strings still get escaped in WordPress even when magic_quotes_gpc is set to “Off”?
- The topic ‘Escaping Strings In WordPress’ is closed to new replies.