As I understand it WordPress for some reason checks for magic quotes and if they are disabled manually adds slashes. What I want to find out is in that case can I assume that the database methods are aware that the data has already been escaped? Functions such as $wpdb->insert(), $wpdb->update(), $wpdb->prepare() and even $wpdb->escape(). Will these functions double escape certain characters such as single quotes? Looking at the $wpdb->escape() method from what I can tell it just escapes again. So in this case surely special characters such as ‘ are going to be double escaped when calling $wpdb->escape()?
It’s interesting that in the codex documentation for the wp_kses() method it tells you that you need to remove any slashes from PHP’s magic quotes before you call this function. However no such warnings are present in the documentation for the database methods I listed above.
So do we need to manually remove slashes when calling these database functions? How about functions like wp_kses_post() and wp_kses_data().
It’s all very unclear as to the best practice to follow in WordPress.
- The topic ‘SQL Injection, escaping and magic quotes’ is closed to new replies.