WordPress.org

Ready to get started?Download WordPress

Forums

Escaping data before updating options table? (7 posts)

  1. Allen
    Member
    Posted 1 year ago #

    I have a plugin that puts data in the options table using wordpress's add_option and update_option functions.

    One of my users has indicated they are getting an out of memory error and their hosting service says it's due to the fact that I'm not escaping data that is going into the options table.

    My question is do I need to escape the data (for example, I put a URL into the table, so it has slashes) before I use add_option or update_option?

    Thanks.

  2. bcworkz
    Member
    Posted 1 year ago #

    The add_option() function has a comment in source that says that values are expected to not be SQL-escaped. add_option() makes a call to sanitize_option(), so it appears there is no need to escape.

    But if you look at sanitize_option() source, it only sanitizes the default options. Custom options pass through unaltered! There is one default url type option which is passed through esc_url_raw(), so I think you should do the same, or similar, to your URLs.

  3. Allen
    Member
    Posted 1 year ago #

    thanks...when I look at the, say, update_options source, it looks like they also send it through sanitize options....so you think if don't esc_url_raw my urls they won't be escaped in the update_options routine...thus causing the memory problem?

  4. bcworkz
    Member
    Posted 1 year ago #

    I don't know if this is the cause of your user's memory leak. All I know is sanitize_option() only sanitizes default options. It does nothing to custom options. And that the one default option that is an url gets passed through esc_url_raw().

    I'm almost sure your url option value is not escaped by update_option(). You could verify for yourself by finding your option in the postmeta table using phpMYAdmin.

  5. aammir
    Member
    Posted 1 year ago #

    i also have no idea about that...

  6. esmi
    Forum Moderator
    Posted 1 year ago #

  7. Allen
    Member
    Posted 1 year ago #

    thanks...I don't post options in the postmeta table, but in the options table (might change that based on what you said).

Topic Closed

This topic has been closed to new replies.

About this Topic