Forum Replies Created

  • @robwent I definitely see where you’re coming from. I think part of the issue is that we underestimated the number of folks that are using get_field() to get values for fields that don’t technically exist or to get fields unrelated to ACF.

    The other part of the issue is that this was part of a security fix, which we would typically prefer to hold off on disclosing until folks have had a chance to update. That said, we definitely could have done better at documenting this once we did release the update. We’ve since updated the docs for get_field() to include some notes about this change, and updated the release post to point to those notes.

    Regarding how this change improves security – the problem with get_field() being able to get arbitrary values is that it opens up vulnerabilities with things like AJAX requests or form submissions where get_field() might be manipulated by the request data.

  • @t0su @retroriff @aodesign @williamsp

    If you’re still having issues, could you please shoot an email to [email protected] so we can troubleshoot further? We’re happy to help out, although it might be a bit tough on the forum.

  • Hey folks,

    This is likely happening as a result of a recent security update to the logic behind get_field() and similar functions.

    The problem was that before ACF 5.11, get_field() would return a value even if there wasn’t a matching field. This meant that it could be used to grab non-ACF data, including arbitrary options or user meta.

    However, get_field() should still work in ACF 5.11, as long as the field that you want the value for exists.

    We have seen some cases in support where fields/field groups registered via PHP (via acf_add_local_field_group(), acf_add_local_field(), and the like) are registered on a late action hook, or on a hook specific to the admin or front end, etc.

    In those cases, though the field is registered, it may not available at the time that get_field() is called, so null is returned.

    If you think that might be what’s happening to you, registering the fields on the “acf/init” action hook or just in your theme’s functions.php file should resolve the issue. Otherwise, feel free to reply here or shoot us an email so we can dig into it further.

Viewing 3 posts - 1 through 3 (of 3 total)