WordPress.org

Ready to get started?Download WordPress

Forums

attribute_escape() versus $wpdb->escape() (8 posts)

  1. harknell
    Member
    Posted 6 years ago #

    I was reading a security article that mentioned using attribute_escape() on any form input that was going to be displayed back to the user so as to remove the possibility of exploit code being run. I was wondering though if you use $wpdb->escape() on form data that will be put in the database, do you also need to use attribute_escape() on the same data if it will also be shown to the user after the database write is done, or are both of these functions doing the same thing essentially but for different reasons? (one on data not related specifically to the database, the other for data definitely going to the database).

    I don't want to unnecessarily run data through extra functions if it isn't required or is already successfully processed to remove problems.

  2. JeremyVisser
    Member
    Posted 6 years ago #

    Correct. Imagine you entered this malicious text as your website URL in a profile:

    http://www.google.com/" onclick="alert('Hey!')

    If you echoed it like this:

    <a href="<?php echo $url ?>">

    This would result:

    <a href="http://www.google.com/" onclick="alert('Hey!')">

    But if you escaped it with attribute_escape() before echoing it, that would fix it.

  3. JeremyVisser
    Member
    Posted 6 years ago #

    Re-reading your post, it seems you were asking whether you should attribute_escape() everything. My understanding is that you should only do it to data being put into the attribute of an HTML element. However, no matter where you're echoing it, you should also htmlentities() it.

  4. harknell
    Member
    Posted 6 years ago #

    Ok, to be clear on one note: If I have just read information out of the database and used $wpdb->escape() on it when it was added to the database and also removed, do I also have to run the data through something else or is that good enough? I'm not talking about parroting back input to the user immediately, I'm talking information that is coming strictly out of the database.

  5. JeremyVisser
    Member
    Posted 6 years ago #

    Nope, you don't need to "unescape" it if it's coming out of the database.

  6. JeremyVisser
    Member
    Posted 6 years ago #

    Although you may need to do some unescaping if magic_quotes is turned on (don't worry, WordPress does that automatically, though).

  7. Marco Cimmino
    Member
    Posted 6 years ago #

    no WordPress just do the contrary, escapes everything if magic_quotes is tuned off.

    from wp-settings.php:

    // Escape with wpdb.
    $_GET = add_magic_quotes($_GET );
    $_POST = add_magic_quotes($_POST );
    $_COOKIE = add_magic_quotes($_COOKIE);
    $_SERVER = add_magic_quotes($_SERVER);

    in fact I even don't know why is needed to escape everything before querying when WordPress do it anyway.

  8. Chris Burgess
    Member
    Posted 6 years ago #

    Agreed. Using this function, and with magic_quotes_gpc=Off in php.ini, I see "double quoting" of "Harriet's Adages" stored in the DB as "Harriet\'s Adages". ???

    function recordBooksWanted() {
      // we are logged in by now, either by magic registration or login
        global $current_user, $wpdb ;
        if ( isset($_POST['book_title']) ) {
          for ( $i = 0 ; $i < sizeof($_POST['book_title']) ; $i++ ) {
            if ( $_POST['book_title'][$i] != '' ||
                 $_POST['book_author'][$i] != '' ) {
              $cols['user_id'] = $current_user->ID ;
              if ( $_POST['book_title'][$i] != '' ) {
                $cols['title'] = $wpdb->Escape($_POST['book_title'][$i]) ;
              }
              if ( $_POST['book_author'][$i] != '' ) {
                $cols['author'] = $wpdb->Escape($_POST['book_author'][$i]) ;
              }
              $sql = 'INSERT INTO ' . $wpdb->prefix . 'books_wanted ' .
                '( ' . implode(',', array_keys($cols)) . ') VALUES ' .
                "( '" . implode("','", array_values($cols)) . "')" ;
              $wpdb->Query($sql);
            }
          }
        }
      }

Topic Closed

This topic has been closed to new replies.

About this Topic