[wp-trac] [WordPress Trac] #38073: Goodbye wp_reset_vars()
WordPress Trac
noreply at wordpress.org
Fri Sep 16 15:49:33 UTC 2016
#38073: Goodbye wp_reset_vars()
-------------------------+------------------------------
Reporter: swissspidy | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version:
Severity: normal | Resolution:
Keywords: | Focuses: administration
-------------------------+------------------------------
Description changed by swissspidy:
Old description:
> `wp_reset_vars()` sets global variables based on `$_POST` and `$_GET`
> values. The function is used is used around 20 times in core and in my
> opinion this should be zero. Even better, the function should be
> deprecated.
>
> Why?
>
> First of all, it's easy to shoot yourself in the foot if you forget to
> properly sanitize the input value. Second, globals set bei
> `wp_reset_vars()` aren't explicitly globalized in the files / functions
> using it. You might stumble upon code like this:
>
> {{{#!php
> <?php
> wp_reset_vars( array( 'foo', 'bar' ) );
> // 100 lines further down…
>
> // Where do these come from?!
> echo $foo;
> echo $bar;
> }}}
>
> And of course using globals is bad. It's not testable and should be
> avoided if possible. Sanitized `$_GET` / `$_POST` values should be used
> directly instead.
>
> Related: #33837, #37699
New description:
`wp_reset_vars()` sets global variables based on `$_POST` and `$_GET`
values. The function is used around 20 times in core and in my opinion
this should be zero. Even better, the function should be deprecated.
Why?
First of all, it's easy to shoot yourself in the foot if you forget to
properly sanitize the input value. Second, globals set by
`wp_reset_vars()` aren't explicitly globalized in the files / functions
using it. You might stumble upon code like this:
{{{#!php
<?php
wp_reset_vars( array( 'foo', 'bar' ) );
// 100 lines further down…
// Where do these come from?!
echo $foo;
echo $bar;
}}}
And of course using globals is bad. It's not testable and should be
avoided if possible. Sanitized `$_GET` / `$_POST` values should be used
directly instead.
Related: #33837, #37699
--
--
Ticket URL: <https://core.trac.wordpress.org/ticket/38073#comment:1>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list