WordPress.org

Support

Support » Plugins and Hacks » Hacks » Escaping data before updating options table?

Escaping data before updating options table?

  • I have a plugin that puts data in the options table using wordpress’s add_option and update_option functions.

    One of my users has indicated they are getting an out of memory error and their hosting service says it’s due to the fact that I’m not escaping data that is going into the options table.

    My question is do I need to escape the data (for example, I put a URL into the table, so it has slashes) before I use add_option or update_option?

    Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • Moderator bcworkz

    @bcworkz

    The add_option() function has a comment in source that says that values are expected to not be SQL-escaped. add_option() makes a call to sanitize_option(), so it appears there is no need to escape.

    But if you look at sanitize_option() source, it only sanitizes the default options. Custom options pass through unaltered! There is one default url type option which is passed through esc_url_raw(), so I think you should do the same, or similar, to your URLs.

    thanks…when I look at the, say, update_options source, it looks like they also send it through sanitize options….so you think if don’t esc_url_raw my urls they won’t be escaped in the update_options routine…thus causing the memory problem?

    Moderator bcworkz

    @bcworkz

    I don’t know if this is the cause of your user’s memory leak. All I know is sanitize_option() only sanitizes default options. It does nothing to custom options. And that the one default option that is an url gets passed through esc_url_raw().

    I’m almost sure your url option value is not escaped by update_option(). You could verify for yourself by finding your option in the postmeta table using phpMYAdmin.

    i also have no idea about that…

    esmi

    @esmi

    Forum Moderator

    thanks…I don’t post options in the postmeta table, but in the options table (might change that based on what you said).

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Escaping data before updating options table?’ is closed to new replies.
Skip to toolbar