[wp-trac] [WordPress Trac] #23416: Form handlers assume $_POST elements will be strings
WordPress Trac
noreply at wordpress.org
Thu Feb 7 19:26:18 UTC 2013
#23416: Form handlers assume $_POST elements will be strings
-----------------------------+--------------------------
Reporter: tabacco | Type: defect (bug)
Status: new | Priority: normal
Milestone: Awaiting Review | Component: Comments
Version: 3.5.1 | Severity: normal
Keywords: |
-----------------------------+--------------------------
I'm running Wordpress 3.5.1 on PHP 5.3.
This example is from lines 50-53 of wp-comments-post.php:
{{{
$comment_author = ( isset($_POST['author']) ) ?
trim(strip_tags($_POST['author'])) : null;
$comment_author_email = ( isset($_POST['email']) ) ?
trim($_POST['email']) : null;
$comment_author_url = ( isset($_POST['url']) ) ? trim($_POST['url'])
: null;
$comment_content = ( isset($_POST['comment']) ) ?
trim($_POST['comment']) : null;
}}}
The issue is that If your post data contains something like:
{{{
author[]=foo&author[]=bar
}}}
or
{{{
comment[]=foo
}}}
Then the corresponding values in $_POST will be arrays, not strings,
causing an E_WARNING.
There seem to be a number of other places where $_POST data is passed
directly to PHP string functions as well, causing potential warnings.
These should be handled gracefully by checking the type of the element
being grabbed from $_POST first:
{{{
$comment_author = ( isset($_POST['author']) &&
is_string($_POST['author']) ) ? trim(strip_tags($_POST['author'])) :
null;
$comment_author_email = ( isset($_POST['email']) &&
is_string($_POST['email']) ) ? trim($_POST['email']) : null;
$comment_author_url = ( isset($_POST['url']) && is_string($_POST['url'])
) ? trim($_POST['url']) : null;
$comment_content = ( isset($_POST['comment']) &&
is_string($_POST['comment']) ) ? trim($_POST['comment']) : null;
}}}
--
Ticket URL: <http://core.trac.wordpress.org/ticket/23416>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list