[wp-hackers] escape data before db insert?
mailings at bdisfunctional.net
Wed Jan 17 18:13:40 GMT 2007
Sometime ago I had a discussion about escaping data in Wordpress. If I
understood it correctly, this person claimed that every GPC data will be
escaped by Wordpress before handing it over. I actually doubt that this
is the case due to the existence of $wpdb->escape().
Now my question is: Do I need to manually call $wpdb->escape() on every
piece of data I would like to insert into the database or not.
Actually when I do use it, I get an extra slash with this example:
$string = "O'Reilly" (comes in via $_GET or $_POST)
after I use
becomes after retrieving it from the database and echo'ing it:
So I presume it is already escaped before I used $wpdb->escape() and the
extra $wpdb->escape() changes it into O\\'Reilly before inserting it
into the database.
Could someone of the core team tell a bit more about when to escape and
when not as. I would like to harden my plugin against XSS and SQL
injections and I'd rather not have someones wordpress install get messed
up due to my plugin.
Thanks in advance!
More information about the wp-hackers