I have a plugin that puts data in the options table using wordpress’s add_option and update_option functions.
One of my users has indicated they are getting an out of memory error and their hosting service says it’s due to the fact that I’m not escaping data that is going into the options table.
My question is do I need to escape the data (for example, I put a URL into the table, so it has slashes) before I use add_option or update_option?
The add_option() function has a comment in source that says that values are expected to not be SQL-escaped. add_option() makes a call to sanitize_option(), so it appears there is no need to escape.
But if you look at sanitize_option() source, it only sanitizes the default options. Custom options pass through unaltered! There is one default url type option which is passed through esc_url_raw(), so I think you should do the same, or similar, to your URLs.
thanks…when I look at the, say, update_options source, it looks like they also send it through sanitize options….so you think if don’t esc_url_raw my urls they won’t be escaped in the update_options routine…thus causing the memory problem?
I don’t know if this is the cause of your user’s memory leak. All I know is sanitize_option() only sanitizes default options. It does nothing to custom options. And that the one default option that is an url gets passed through esc_url_raw().
I’m almost sure your url option value is not escaped by update_option(). You could verify for yourself by finding your option in the postmeta table using phpMYAdmin.
- The topic ‘Escaping data before updating options table?’ is closed to new replies.