[wp-trac] [WordPress Trac] #35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some hosts)

WordPress Trac noreply at wordpress.org
Mon Feb 15 20:37:16 UTC 2016


#35838: Customizer Save & Publish fails if /*SQL-COMMAND in text box (only on some
hosts)
--------------------------+-----------------------------
 Reporter:  wpweaver      |      Owner:
     Type:  defect (bug)  |     Status:  new
 Priority:  normal        |  Milestone:  Awaiting Review
Component:  Customize     |    Version:  trunk
 Severity:  normal        |   Keywords:
  Focuses:                |
--------------------------+-----------------------------
 This is one of the strangest issues I've ever seen in 40 years of
 programming.

 The issue:

 On SOME hosts, the Customizer "Save & Publish" fails if text with
 "'''/*SQL-COMMAND'''" is included in any text box with apparently any
 theme.

 For example, on an appropriate hosting company, activate TwentySixteen.
 Open the Customize : Site Identity tab, and enter a value into the Tagline
 box (or really, any text box will do). Then try Save & Publish. Normally
 this will work. BUT, if the string is something like '''/*insert''' or
 '''/*delete''' or any other SQL command I tried, the string will show in
 the preview window, but Save & Publish does not work, and the value is not
 saved in the settings.

 I could only test this on a limited number of hosts, including a couple of
 different BlueHost share hosting boxes, and a GreenGeeks box. The issue
 does NOT show on a BlueHost VPS box, nor my Mac MAMP dev system.

 I looked at whatever I could, but could not nail down just where/who was
 causing the issue. This is possibly not a WP bug, but is still a real
 issue as plenty of users have cheap host like BlueHost or GreenGeeks, so I
 think it needs to be addressed.

 I would suspect some kind of failed attempt on the hosting configuration
 to stop SQL injection attacks, but who knows.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/35838>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list