[wp-trac] [WordPress Trac] #43392: Support associative array type in register_meta()

WordPress Trac noreply at wordpress.org
Thu Aug 9 22:46:49 UTC 2018 

#43392: Support associative array type in register_meta()
--------------------------------+------------------------------
 Reporter:  diegoliv            |       Owner:  (none)
     Type:  enhancement         |      Status:  new
 Priority:  normal              |   Milestone:  Awaiting Review
Component:  Options, Meta APIs  |     Version:  4.9.4
 Severity:  normal              |  Resolution:
 Keywords:  close               |     Focuses:  rest-api
--------------------------------+------------------------------

Comment (by mnelson4):

 Today in slack @flixos90 said he thought this was a good addition. I also
 think this will be handy.

 For our plugin's REST API endpoints, we have fields that are arrays and
 they support both reading and writing, and so far haven't had any trouble
 (see https://github.com/eventespresso/event-espresso-
 core/blob/master/docs/C--REST-API/ee4-rest-api-reading-data.md#serialized-
 php-objects-in-responses-are-removed).

 Input from the API client needs to always be a JSON array, which is easily
 converted into a PHP array, and then can be stored easily via
 serialization. We never, ever accept a string that represents a serialized
 thing, which could be a serialized PHP class, which expands the attack
 vector like @rmccue was talking about in his blog post. So, this way we're
 never unserializing user input.

 Those same fields only ever serve PHP array which map nicely into JSON
 objects. So this way it's not lossy either, which was @rmccue's other main
 problem.

 So I don't see why WP core couldn't likewise support `register_meta()`
 with `'type' => 'array'`, where the input is always JSON arrays (which is
 received as a PHP array and gets serialized, so it wouldn't actually need
 to run `maybe_serialize()`), and the value is stored in the DB as a
 serialized array, and then when retrieving the data from the DB, we
 unserialize it to a PHP array, and then serve it as a JSON object again
 over the REST API. (Optionally, WP core could decide on a different method
 of serializing the PHP array, like `json_encode`ing, but continuing with
 PHP's `serialize` methods is more consistent).

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/43392#comment:7>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list