[wp-hackers] escape data before db insert?
Bjorn Wijers
mailings at bdisfunctional.net
Wed Jan 17 18:13:40 GMT 2007
Hi all,
Sometime ago I had a discussion about escaping data in Wordpress. If I
understood it correctly, this person claimed that every GPC data will be
escaped by Wordpress before handing it over. I actually doubt that this
is the case due to the existence of $wpdb->escape().
Now my question is: Do I need to manually call $wpdb->escape() on every
piece of data I would like to insert into the database or not.
Actually when I do use it, I get an extra slash with this example:
$string = "O'Reilly" (comes in via $_GET or $_POST)
after I use
$wpdb->escape()
becomes after retrieving it from the database and echo'ing it:
O\'Reilly
So I presume it is already escaped before I used $wpdb->escape() and the
extra $wpdb->escape() changes it into O\\'Reilly before inserting it
into the database.
Could someone of the core team tell a bit more about when to escape and
when not as. I would like to harden my plugin against XSS and SQL
injections and I'd rather not have someones wordpress install get messed
up due to my plugin.
Thanks in advance!
grtz
BjornW
More information about the wp-hackers
mailing list