[wp-trac] [WordPress Trac] #65044: get_post_custom_values() missing array check, inconsistent with get_post_custom_keys()

[WordPress Trac]

#65044: get_post_custom_values() missing array check, inconsistent with
get_post_custom_keys()
-------------------------------------------------+-------------------------
 Reporter:  saratheonline                        |       Owner:
                                                 |  saratheonline
     Type:  defect (bug)                         |      Status:  assigned
 Priority:  normal                               |   Milestone:  7.1
Component:  Posts, Post Types                    |     Version:  trunk
 Severity:  normal                               |  Resolution:
 Keywords:  has-patch needs-testing needs-unit-  |     Focuses:
  tests                                          |
-------------------------------------------------+-------------------------

Comment (by darshitrajyaguru97):

 == Additional Testing & Validation ==

 I’ve tested this behavior on PHP 8.2 with `E_ALL` enabled and can confirm
 the inconsistency described in this ticket.

 While `get_post_custom_values()` does not produce a fatal error and
 ultimately returns `null`, it still attempts to access an array offset on
 a non-array value when `get_post_custom()` fails.

 Example test:

 {{{
 add_action( 'wp_ajax_test_65044', function() {
     $id = 999999; // Non-existent post ID
     $values = get_post_custom_values( 'some_key', $id );

     var_dump( error_reporting() );

     wp_send_json_success( array( 'result' => $values ) );
 });
 }}}

 In this case, `get_post_custom()` returns `false` (or an empty string),
 and `get_post_custom_values()` proceeds with:

 {{{
 $custom[ $key ]
 }}}

 This results in an invalid offset access on a boolean/string value.
 Although PHP 8+ may not always surface it visibly (depending on error
 handling), it still constitutes a silent failure and violates defensive
 coding practices.

 === **Consistency with Sibling Function ===

 The related function `get_post_custom_keys()` already includes a
 safeguard:

 {{{
 if ( ! is_array( $custom ) ) {
     return;
 }
 }}}

 Adding the same `is_array()` check in `get_post_custom_values()` would:

 * Prevent invalid offset access at the logic level
 * Align behavior with its sibling function
 * Avoid silent failures under stricter error reporting environments

 === **Recommendation ===

 Introduce a defensive check before accessing the array:

 {{{
 $custom = get_post_custom( $post_id );

 if ( ! is_array( $custom ) ) {
     return null;
 }

 return isset( $custom[ $key ] ) ? $custom[ $key ] : null;
 }}}

 This is a minimal, backward-compatible fix that improves robustness and
 consistency across the API.

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/65044#comment:6>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform