[wp-hackers] single quote in plugin options

Will Anderson wp-hackers at itsananderson.com
Thu Jul 16 03:43:22 UTC 2009


Yes, quotes and backslashes are escaped by $wpdb->prepare before the queries
are sent to the database, this is done to avoid SQL injections. These back
slashes are interpreted as escape characters by MySQL and don't actually
make it into the database. A problem arises when both $wpdb and Magic Quotes
escape the input. Then instead of inserting [Tom\'s Bar] into your database,
you get [Tom\\\'s Bar]. In the first case, MySQL interprets the \' as a
single quote and you end up with [Tom's Bar] in your database. In the second
case, MySQL interprets the \\ as a single backslash and the \' as a single
quote. You end up with [Tom\'s Bar] in your database. Pulling this data out
and then putting it back in only compounds the problem.
This is why Magic Quotes are being deprecated. They're useful for software
that doesn't do its own escaping, but software like WordPress does, so Magic
Quotes end up being more of a pain than they're worth.

-- 
Will Anderson
http://www.itsananderson.com/

On Wed, Jul 15, 2009 at 10:43 PM, Matt Freedman <speedboxer at gmail.com>wrote:

> Rather, those quotes are escaped using addslashes(). Sorry for the error.
>
> On Wed, Jul 15, 2009 at 7:42 PM, Matt Freedman<speedboxer at gmail.com>
> wrote:
> > Actually, the quotes are (purposely) added using addslashes() in
> > wp-includes/wp-db.php before inserting the data into the database.
> >
> > Regards,
> > Matt Freedman
> >
> > On Wed, Jul 15, 2009 at 5:40 AM, Will
> > Anderson<wp-hackers at itsananderson.com> wrote:
> >> By the way, those slashes are due to Magic Quotes, a feature that will
> be
> >> removed in PHP 5.3 and 6. If you want to guard your code against future
> >> releases, or you want to distribute it to people who might have Magic
> Quotes
> >> disabled (which can be done fairly easily), you'll probably want to
> check
> >> whether Magic Quotes are enabled before calling stripslashes. here's a
> good
> >> article on Magic Quotes. At the bottom of the page you'll find a code
> >> snippet that should give you a good idea of how to do this check.
> >>
> >> http://www.tizag.com/phpT/php-magic-quotes.php
> >>
> >> Best,
> >> Will Anderson
> >> http://www.itsananderson.com/
> >>
> >> On Wed, Jul 15, 2009 at 5:56 AM, Daiv Mowbray <daiv at daivmowbray.com>
> wrote:
> >>
> >>>
> >>> Thanx very much Matt,
> >>> stripslashes() is what I needed.
> >>> before display and before using in my javascript.
> >>>
> >>>
> >>> On Jul 15, 2009, at 10:26 AM, Matt Freedman wrote:
> >>>
> >>>  Use stripslashes() before displaying the option.
> >>>>
> >>>
> >>>
> >>> ----------
> >>> Daiv Mowbray
> >>> daiv at daivmowbray.com
> >>> ----------
> >>>
> >>>
> >>> _______________________________________________
> >>> wp-hackers mailing list
> >>> wp-hackers at lists.automattic.com
> >>> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>>
> >>
> >>
> >>
> >> --
> >> Will Anderson
> >> http://www.itsananderson.com/
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >>
> >
> >
> >
> > --
> > Matt Freedman
> > http://mattfreedman.ca/
> >
>
>
>
> --
> Matt Freedman
> http://mattfreedman.ca/
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list