Open bobbingwide opened 3 years ago
In wp-settings.php after the plugins_loaded
action hook there's a call to wp_magic_quotes()
function wp_magic_quotes() {
// Escape with wpdb.
$_GET = add_magic_quotes( $_GET );
$_POST = add_magic_quotes( $_POST );
$_COOKIE = add_magic_quotes( $_COOKIE );
$_SERVER = add_magic_quotes( $_SERVER );
// Force REQUEST to be GET + POST.
$_REQUEST = array_merge( $_GET, $_POST );
}
add_magic_quotes()
is a recursive function. It calls add_slashes()
for each string in each array.
trace_startup()
is called when oik-bwtrace is loaded, which is before plugins loaded.
So now we ask, should oik-bwtrace defer tracing of these globals until plugins_loaded
?
Or should it retrace them after add_magic_quotes()
has been called?
What's probably more important is to understand how to deal with backslashes in input text and textarea fields that
get lost when we call wp_unslash()
.
When tracing starts up the
trace_startup()
function traces values in$_SERVER
and$_REQUEST
if the trace level is BW_TRACE_INFO or higher.The values in
$_REQUEST
may look like this.$_REQUEST is a combination of $_GET and $_POST
If the trace level is BW_TRACE_DEBUG or higher then these two arrays are also traced.
In later processing I've noticed that the values in $_REQUEST have been escaped using
addslashes()
.Notice that the single quotes have been escaped with a backslash. This is the effect of
addslashes()
/wp_slash()
.addslashes
If we attempt to compare values extracted from this array with the originals we may have to
stripslashes()
/wp_unslash()
.The questions I have are:
Finding the answers to the above questions should help the debugger determine what to do to fix their code.