Why does WordPress slash $_POST data?
-
Having these two files in the root WP directory, opening them and submitting a form produces two different results, even though the second one is only including the WordPress.
// post_test.php <?php $test = isset( $_POST[ 'test' ] ) ? $_POST[ 'test' ] : false; ?> <form method="POST"> <textarea name="test"><?php echo $test ? $test : 'lol "test"'; ?></textarea> <input type="submit"> </form>
// post_test_wp.php <?php require_once 'wp-load.php'; ?> <?php require_once 'post_test.php'; ?>
Basically, when we submit the
post_test.php
form resulting text field will contain the following text:lol "test";
While
post_test_wp.php
will result in the following “slashed” values:lol \"test\";
This will obviously break compatibility with 3rd party libraries that I maybe have to integrate with WordPress, and it’s just incredible that someone thought it’s a good idea to modify such an important global.
I know that ship to fix that has sailed, as there are many plugins and code that “depend” on this behaviour now, but I’m interested if any WordPress historian maybe knows the reason why this was done in the first place, just as a piece of trivia.
I’m assuming it was an attempt to “sanitize early” by some misguided soul, or to prevent SQL injections in some way.
How close are my guesses? 😀
- The topic ‘Why does WordPress slash $_POST data?’ is closed to new replies.