Support » Fixing WordPress » BUG WP 1.2 an most likely before — magic quotes a

  • Magic quote slashes have ended up in the WordPress data. The term ‘magic quote’ is used to refer to the fact that text that has quotes in it has to be ‘escaped’ (i.e. slashes added in front of the quotes), so that the database update process doesn’t treat them as the end of the line. However, if the text is ‘escaped’ twice, what happens is a slash ends up added to the database contents. And if it’s not stripped when the text is displayed, the slash then appears in the output.
    The magic quote problem–this slash that appears in the text– happens when magic quote support is on by default on the server, but the application also escapes the text. As a fix, we need to turn magic quotes off at our server, and one way to do it is add the following to your htaccess file:
    php_flag magic_quotes_gpc off
    php_flag magic_quotes_runtime off
    (However, doing so also causes the comment edit function in the administration pages of WordPress 1.2 to fail, because it’s not escaping the text before saving the changes to the database.)
    A workaround to the existing unwanted slashes has been to litter our pages with a filter calling the stripslashes function, but this is not really the best solution to this problem. A better solution would be to turn magic quotes off by default (unfortunately sacrificing our ability to edit comments from the admin pages until this bug is fixed) and then strip the existing slashes in the database. This cleanup should only need to be run once after the default magic quote support is turned off in .htaccess.
    I wrote the following which strips the slashes from posts and comments. I dislike doing universal updates, but this shouldn’t cause problems. However, caveat as always-backup your database before running this script, using mysqldump.

    <?php
    require_once('wp-config.php');
    global $tablecomments, $wpdb, $tableposts;
    $sql = 'select ID, post_content from ' . $tableposts;
    $lines=$wpdb->get_results($sql);
    foreach ($lines as $line) {
    $content = stripslashes($line->post_content);
    if (get_magic_quotes_gpc()==0)
    $content = addslashes($content);
    $wpdb->query("update $tableposts set post_content = '$content' where ID = $line->ID");
    }

    $sql = 'select comment_ID, comment_content from ' . $tablecomments;
    $lines=$wpdb->get_results($sql);

    foreach ($lines as $line) {
    $content = stripslashes($line->comment_content);
    if (get_magic_quotes_gpc()==0)
    $content = addslashes($content);
    $wpdb->query("update $tablecomments set comment_content = '$content' where comment_ID = $line->comment_ID");
    }
    echo "Any accidental magic quote slashes have been stripped from the comment and post text";
    ?>

    You can also access this function at http://weblog.burningbird.net/kill-bad-magic.txt. Just rename to a php extension and run.
    I’ve tested this in multiple databases, and it seems to be problem free. But if someone sees a gotcha, let me know and I’ll correct immediately. I’m not using one global update because pattern matching with escaped characters is actually not as trivial as it may seem. And the results can be unpredictable. Rather be safe than sorry.

Viewing 2 replies - 1 through 2 (of 2 total)
  • I’ll look at incorporating this into the upgrade script. Thanks!

    I just used this technique on a friend’s blog, and it worked well. thank you.
    however, it did not strip the slashes from the “recent activity” plug in.
    otherwise, hurrah!
    f.

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.