[wp-trac] [WordPress Trac] #38073: Goodbye wp_reset_vars()

WordPress Trac noreply at wordpress.org
Fri Sep 16 15:49:33 UTC 2016 

#38073: Goodbye wp_reset_vars()
-------------------------+------------------------------
 Reporter:  swissspidy   |       Owner:
     Type:  enhancement  |      Status:  new
 Priority:  normal       |   Milestone:  Awaiting Review
Component:  General      |     Version:
 Severity:  normal       |  Resolution:
 Keywords:               |     Focuses:  administration
-------------------------+------------------------------
Description changed by swissspidy:

Old description:

> `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET`
> values. The function is used is used around 20 times in core and in my
> opinion this should be zero. Even better, the function should be
> deprecated.
>
> Why?
>
> First of all, it's easy to shoot yourself in the foot if you forget to
> properly sanitize the input value. Second, globals set bei
> `wp_reset_vars()` aren't explicitly globalized in the files / functions
> using it. You might stumble upon code like this:
>
> {{{#!php
> <?php
> wp_reset_vars( array( 'foo', 'bar' ) );
> // 100 lines further down…
>
> // Where do these come from?!
> echo $foo;
> echo $bar;
> }}}
>
> And of course using globals is bad. It's not testable and should be
> avoided if possible. Sanitized `$_GET` / `$_POST` values should be used
> directly instead.
>

> Related: #33837, #37699

New description:

 `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET`
 values. The function is used around 20 times in core and in my opinion
 this should be zero. Even better, the function should be deprecated.

 Why?

 First of all, it's easy to shoot yourself in the foot if you forget to
 properly sanitize the input value. Second, globals set by
 `wp_reset_vars()` aren't explicitly globalized in the files / functions
 using it. You might stumble upon code like this:

 {{{#!php
 <?php
 wp_reset_vars( array( 'foo', 'bar' ) );
 // 100 lines further down…

 // Where do these come from?!
 echo $foo;
 echo $bar;
 }}}

 And of course using globals is bad. It's not testable and should be
 avoided if possible. Sanitized `$_GET` / `$_POST` values should be used
 directly instead.


 Related: #33837, #37699

--

--
Ticket URL: <https://core.trac.wordpress.org/ticket/38073#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list