[wp-trac] [WordPress Trac] #38073: Goodbye wp_reset_vars()
WordPress Trac
noreply at wordpress.org
Fri Sep 16 12:34:37 UTC 2016
#38073: Goodbye wp_reset_vars()
----------------------------+-----------------------------
Reporter: swissspidy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Keywords:
Focuses: administration |
----------------------------+-----------------------------
`wp_reset_vars()` sets global variables based on `$_POST` and `$_GET`
values. The function is used is used around 20 times in core and in my
opinion this should be zero. Even better, the function should be
deprecated.
Why?
First of all, it's easy to shoot yourself in the foot if you forget to
properly sanitize the input value. Second, globals set bei
`wp_reset_vars()` aren't explicitly globalized in the files / functions
using it. You might stumble upon code like this:
{{{#!php
<?php
wp_reset_vars( array( 'foo', 'bar' ) );
// 100 lines further down…
// Where do these come from?!
echo $foo;
echo $bar;
}}}
And of course using globals is bad. It's not testable and should be
avoided if possible. Sanitized `$_GET` / `$_POST` values should be used
directly instead.
Related: #33837, #37699
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38073>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list