Top reasons not to use setlocale() for character encoding conversion

Many WordPress plugins use the setlocale() function.

While it’s generally safe to use setlocale() to get various information about a specific locale, it’s essential to understand that using setlocale() to perform string manipulations has significant disadvantages.

The goal of this article is to raise awareness about those disadvantages.

Disadvantages

So, what are they?

Firstly, setlocale() is not thread-safe. If you run WordPress on shared hosting, you may experience sudden changes in locale settings, as though your pluginPlugin A plugin is a piece of software containing a group of functions that can be added to a WordPress website. They can extend functionality or add new features to your WordPress websites. WordPress plugins are written in the PHP programming language and integrate seamlessly with WordPress. These can be free in the WordPress.org Plugin Directory https://wordpress.org/plugins/ or can be cost-based plugin from a third-party never called setlocale().
String functions that rely on setlocale() to detect the current locale don’t process some characters correctly, even if the correct locale is set with setlocale().

Take a look at this 3vl4.org example.

The expected output of the script is Ž, but the actual output is Ů.

Recommendations

These are some recommendations on using setlocale() that could make using it safer:

Don’t use setlocale() to process strings in different encodings unless absolutely unavoidable.
Don’t use setlocale() with LC_ALL. Instead, specify the exact categoryCategory The 'category' taxonomy lets you group posts / content together that share a common bond. Categories are pre-defined and broad ranging. of functions you need (e.g., LC_MONETARY, LC_NUMERIC).
If you need to change the current locale, you must change it back to the previous value in order to preserve thread-sanity. At this time, C should be used as the default locale setting.

#best-practices, #security

EvgenyR 5:11 pm on September 9, 2022

Or use the mb_* function equivalent , e.g: for the example with strtoupper, replacing it with mb_strtoupper returns correct result.
- Anton Vlasenko 9:31 pm on September 9, 2022
  
  I agree with you on this.
  It would be great to always use the mbstring extension when working with strings.
  But, although mbstring is highly recommended, it is not required to run WordPress.
  Therefore, it is not available on some servers.
gentlemern 8:56 am on September 16, 2022

I feel like some plugins are only optimized to work for some style of themes only. the theme I m currently using for my telecom site does not allow me to use a featured imageFeatured image A featured image is the main image used on your blog archive page and is pulled when the post or page is shared on social media. The image can be used to display in widget areas on your site or in a summary list of posts. inside a post
- Ipstenu (Mika Epstein) 3:20 pm on September 16, 2022
  
  Hello @gentlemern – This is true and actually we allow plugins for specific themes only. This is the same as we allow plugins as add-ons for specific plugins only 🙂 It’s totally permissable.
  
  However that is not the topic of this post, which is about coding and best practices. You probably wanted to post in the forums instead – https://wordpress.org/support/forums/