The MU forums have moved to WordPress.org

BUG: Magic quotes turned off, still getting slashes (7 posts)

  1. plug_n_author
    Member
    Posted 14 years ago #

    For some reason, slashes are being added to blog titles and user comments wherever single-quotes (') are used. We have turned off magic quotes and the problem persists.

    http://tucsoncitizen.com/

  2. tdjcbe
    Member
    Posted 14 years ago #

  3. plug_n_author
    Member
    Posted 14 years ago #

    Thanks. Glad to know that there is an open ticket.

  4. plug_n_author
    Member
    Posted 14 years ago #

    Actually, NOT fixed. Blog titles is the issue, not the site name.

  5. plug_n_author
    Member
    Posted 14 years ago #

    Fixed the issue. It was a plugin for the homepage to pull the most recent posts. The database apparently stores addslashes() data. IMO, this is a WP BUG that needs to be fixed. The database should only store pure, binary data.

  6. cafespain
    Member
    Posted 14 years ago #

    Nope not a WP bug, sorry. Something is adding an extra "add slashes" in there somewhere and isn't removing it at the end. Try it again with all your plugins disabled and see if it still does it.

    If it was a WP bug, then I think a LOT or people would be shouting.

  7. more-solutions
    Member
    Posted 14 years ago #

    I'm a complete Wordpress/Wordpress MU newbie (but not new to PHP) with the same problem.

    My understanding (from looking at the coding standards and the code) is that:

    • DB records should not have the slashes in them
    • Wordpress (admin.php) strips slashes added by magic_quotes_gpc if installed
    • Wordpress (admin.php) then adds slashes to all user data in $_POST
    • DB functions will escape any data they receive

    Therefore the net result is that whether or not magic quotes are on the results will be the same: $_POST data will have escaped quotes.

    So anything in MU that uses $_POST should unescape the data before storing it.

    The fix (for me anyway) was to find
    case "updateblog"
    and replace
    `foreach ( (array) $_POST['option'] as $key => $val ) {
    if( $c == $count ) {`
    with
    `foreach ( (array) $_POST['option'] as $key => $val ) {
    $key = stripslashes($key);
    $val = stripslashes($val);
    if( $c == $count ) {`

    I also discovered that the way Wordpress checks for data being unchanged means that if the only change you make is to remove a slash then Wordpress will think nothing changed and not store it in the database, so I had to change "Mark\'s Blog" to "Mark's Blog!" to make it change.

    Hope that helps someone!

    PS: I think this is NOT a WP bug, but IS a WPMU bug. But I've not been here long enough to know for sure? It's only when something doesn't strip slashes when it takes data from the database that it would notice though (as is the case with the plugin mentioned above). Most of the WP/WPMU code seems to do that, but it is still a bug (imho) to be storing the slashes in the database regardless of whether most of the code will invisibly correct it. I haven't worked out yet how I would store \' if I actually wanted to (maybe if I wanted to blog this thread, for example).

About this Topic

  • Started 14 years ago by plug_n_author
  • Latest reply from more-solutions