WordPress.org

Ready to get started?Download WordPress

Forums

Escapin apostrophes in Word Press (6 posts)

  1. er777
    Member
    Posted 1 year ago #

    I wrote a plugin for wordpress that stores restaurant menu items. But whenever apostrophes are used, wordpress escapes them with slashes on both the admin and front end and keeps adding slashes to the text on every save.

    This is an excerpt and example of what I have as post code:

    $dinnerEntree2 = $_POST[$dinnerEntree_option];
    for ($i=1; $i<= $dinner_menu_item_number_saved; $i++) {
    
    // entree   dinner_menu_entree_option
    $dinnerEntree = "dinner_menu_".$i."_entree";
    $dinnerEntree_saved = "dinner_menu_".$i."_entree_save";
    $dinnerEntree_option = "dinner_menu_".$i."_entree_option";
    $dinnerEntree_saved2 = get_option($ingredients);
    $dinnerEntree2 = $_POST[$dinnerEntree_option];
    
    if ($dinnerEntree_saved2 != $dinnerEntree2)
    if(!update_option($dinnerEntree,$dinnerEntree2))
    $message='failed to save large entree';
    // end of entree

    and in the input form field:

    <input type="text" name="dinner_menu_<?php echo $i ?>_entree_option" value="<?php echo get_option($dinnerEntree);  ?>" size="40"/></span>
    I have tried stripslashes, but have had no luck.

    I have also tried this:

    $dinnerEntree2 = stripslashes_deep( $_POST[$dinnerEntree_option] );

    That doesn't do it either.

    This has been discussed over the years but i have seen no definitive solution for wordpress. Magic Quotes are off on my server.... any ideas?

  2. s_ha_dum
    Member
    Posted 1 year ago #

    You have to escape quotes sometimes. That is unavoidable. You can do a lot of damage if you don't, or some unfriendly visitor can do a lot of damage for you. I don't know that it a matter of finding or needing a definitive solution.

    $dinnerEntree2 = stripslashes_deep( $_POST[$dinnerEntree_option] );

    If you already have layers of backslash-ing in your database, this likely won't fix it. (Plus using stripslashes_deep on what looks to be a string is a bit of a waste) You will have to fix the entries in your database before you can start to make sense of things. Starting from a clean slate, stripslashes when you echo the data should work.

  3. er777
    Member
    Posted 1 year ago #

    Thanks - database is pristine, admin tool clears out these added slashes.

    If I manually escape (\'), the same thing happens. It's a really pesky problem, but I believe it has been solved by someone, as bloggers do not hesitate to use ' or " in their posts - granted they are using tinymce and I am not...

  4. Why are you saving a menu in the options table? Doesn't make any sense at all. WordPress comes with custom post types, taxonomies, post meta. You can even make the post edit screen look however you want using meta boxes.

    Your taking raw post data and saving it as options without doing any validation or sanitation.

  5. er777
    Member
    Posted 1 year ago #

    I don't mean menu in the sense you think - it's a restaurant menu:
    http://wilshirerestaurant.com/

    Are you saying that the problem comes from using the options table? The validation and sanitization you speak of - where do I find info about that? And is that the solution?

  6. s_ha_dum
    Member
    Posted 1 year ago #

    For WordPress: http://codex.wordpress.org/Data_Validation

    But if you are writing code that will be exposed to the world wide (and evil) web, you should have a more general understanding of data sanitization.

    http://coding.smashingmagazine.com/2011/01/11/keeping-web-users-safe-by-sanitizing-input-data/

    http://codeassembly.com/How-to-sanitize-your-php-input/

    Without sanitization, it is possible for a user to feed your form carefully constructed data and do things that you did not intend. Look up "MySQL injection".

    Using a custom post type for your menu would let you create much more interesting menus.

Topic Closed

This topic has been closed to new replies.

About this Topic