Xdebug is not friends with WordPress + create_function()

If you use Xdebug for debugging WordPress-based sites there’s something you should be aware of. If function created with PHP’s create_function() are hooked to WordPress actions or filters, any time $wp_filters is in the scope Xdebug sends invalid XML to the Xdebug client, (like your IDE). If the Xdebug client doesn’t deal with the invalid characters before attempting to parse the XML it will fail. IDEs deal with the parsing failure in different ways, SublimeTextXdebug doesn’t show the call stack or list of current variables but doesn’t crash entirely so debugging can continue. I don’t know how other IDEs handle the failure.

Why the XML is Invalid

create_function() makes a new function, gives it a random name that starts with a null character, and returns that function name as a string. When that string is passed to WordPress’s add_filter() or add_action() functions the name that create_function() returned is used as an array key in deep within the $wp_filters global. When Xdebug sends the list of variables back to an Xdebug client it is sent as XML and the null character encoded as � which is illegal in XML.

How to solve the Problem

Ideally Xdebug would only send valid XML to the Xdebug client, but the bug report has been open for a year and doesn’t seem to be high priority so developers should solve the problem by avoiding create_function()

Avoiding create_function() is Good Coding

create_function() eval()‘s the code that’s passed as the second argument, and eval() is something to be avoided, so create_function() is too. This Xdebug bug makes us avoid create_function() for actions and filters in order to keep Xdebug useful, with the side effect of making our code a bit more secure.

WordPress Exploit Scanner should mean Fewer Hacked Blogs

A couple of weeks ago an article about hacked WordPress sites came up in my WordPress admin dashboard.  I hadn’t been paying attention to all of the noise that was apparently going on about hacked blogs, but this article got my attention, and I read it.  I learned a lot about how to see if my blog was hacked, but a lot of it consisted of searching for strings in all of my wordpress files, which would involve downloading them all to my computer.  What a pain in the ass.

Well, that was two and a half weeks ago. Times have changed. Donncha has come out with the WordPress Exploit Scanner, (currently version 0.1).  It does the work for you!  Download it and check your wordpress blog.  I did, (and I came up clean).