[wp-trac] [WordPress Trac] #35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some hosts)
WordPress Trac
noreply at wordpress.org
Mon Feb 15 20:37:16 UTC 2016
#35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some
hosts)
--------------------------+-----------------------------
Reporter: wpweaver | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Customize | Version: trunk
Severity: normal | Keywords:
Focuses: |
--------------------------+-----------------------------
This is one of the strangest issues I've ever seen in 40 years of
programming.
The issue:
On SOME hosts, the Customizer "Save & Publish" fails if text with
"'''/*SQL-COMMAND'''" is included in any text box with apparently any
theme.
For example, on an appropriate hosting company, activate TwentySixteen.
Open the Customize : Site Identity tab, and enter a value into the Tagline
box (or really, any text box will do). Then try Save & Publish. Normally
this will work. BUT, if the string is something like '''/*insert''' or
'''/*delete''' or any other SQL command I tried, the string will show in
the preview window, but Save & Publish does not work, and the value is not
saved in the settings.
I could only test this on a limited number of hosts, including a couple of
different BlueHost share hosting boxes, and a GreenGeeks box. The issue
does NOT show on a BlueHost VPS box, nor my Mac MAMP dev system.
I looked at whatever I could, but could not nail down just where/who was
causing the issue. This is possibly not a WP bug, but is still a real
issue as plenty of users have cheap host like BlueHost or GreenGeeks, so I
think it needs to be addressed.
I would suspect some kind of failed attempt on the hosting configuration
to stop SQL injection attacks, but who knows.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/35838>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list