WordPress · jasonkenison · Sep 17, 2024 · Aug 26, 2025 · Aug 26, 2025 · Aug 26, 2025
diff --git a/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml b/WordPress/Docs/PHP/DiscouragedPHPFunctionsStandard.xml
@@ -0,0 +1,95 @@
+<?xml version="1.0"?>
+<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
+    title="Discouraged PHP Functions"
+    >
+    <standard>
+    <![CDATA[
+    Use JSON instead of serialized data, which has known vulnerability problems with object injection.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using JSON to encode data.">
+        <![CDATA[
+$serialized = <em>wp_json_encode</em>( $my_array );
+$unserialized = <em>json_decode</em>( $my_array );
+        ]]>
+        </code>
+        <code title="Invalid: Using serialized data strings.">
+        <![CDATA[
+$serialized = <em>serialize</em>( $my_array );
+$unserialized = <em>unserialize</em>( $my_array );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+    URLs should now be encoded using rawurlencode().
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Encoding a url using rawurlencode().">
+        <![CDATA[
+<em>rawurlencode</em>( get_site_url() );
+        ]]>
+        </code>
+        <code title="Invalid: Encoding a url using urlencode().">
+        <![CDATA[
+<em>urlencode</em>( get_site_url() );
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+    Avoid using functions which change configuration values at runtime. Invalid runtime configuration functions include `error_reporting()`, `ini_restore()`, `apache_setenv()`, `putenv()`, `set_include_path()`, `restore_include_path()`, `magic_quotes_runtime()`, `set_magic_quotes_runtime()`, and `dl()`.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Not changing configuration at runtime.">
+        <![CDATA[
+// Configuration not changed at runtime.
+        ]]>
+        </code>
+        <code title="Invalid: Changing configuration at runtime">
-        <code title="Invalid: Changing configuration at runtime">
+        <code title="Invalid: Changing configuration at runtime.">
-        <code title="Invalid: Changing configuration at runtime">
+        <code title="Invalid: Changing configuration at runtime.">
+        <![CDATA[
+<em>apache_setenv( $variable, $value );</em>
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+    Do not use PHP system calls. They are often disabled by server admins. Disallowed system call functions include `exec()`, `passthru()`, `proc_open()`, `shell_exec()`, `system()`, and `popen()`.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Not using PHP system calls.">
+        <![CDATA[
+// Avoiding using PHP system calls.
+        ]]>
+        </code>
+        <code title="Invalid: Using PHP system calls.">
+        <![CDATA[
+<em>exec( $my_command );</em>
+        ]]>
+        </code>
+    </code_comparison>
+    <standard>
+    <![CDATA[
+    Functions often used for obfuscating code are strongly discouraged. Make sure the function is used for benign reasons.
+    ]]>
+    </standard>
+    <code_comparison>
+        <code title="Valid: Using functions for benign reasons.">
+        <![CDATA[
+// It is up to the developer to determine if the function is used for benign purposes or if they want to keep it.
+        ]]>
+        </code>
+        <code title="Invalid: Using functions to obfuscate code.">
+        <![CDATA[
+<em>eval( </em>base64_decode( $code_str )<em> )</em>;
+<em>convert_uudecode( $uuencoded )</code>em>;
+<em>str_rot13( $rot13_encoded )</em>;
+        ]]>
+        </code>
+    </code_comparison>
+</documentation>