[wp-hackers] Appending Query Strings to Pretty Permalinks

Andrew Nacin wp at andrewnacin.com
Tue Mar 8 06:52:42 UTC 2011

On Mon, Mar 7, 2011 at 2:39 PM, Chip Bennett <chip at chipbennett.net> wrote:

> Is there a better way to do what I'm doing? (I generally try to avoid
> using $_SERVER variables.)

If you *do* use $_SERVER['QUERY_STRING'] here, please don't use it directly.
You need to esc_url() it or any values you obtain from it, as it is unsafe.
As a general rule, always treat all $_SERVER variables as unsafe. Same with
$_GET, of course.


More information about the wp-hackers mailing list