[wp-hackers] Re: wordpress options and security
Martin Geisler
mgeisler at mgeisler.net
Tue Oct 18 20:39:59 GMT 2005
Robert Deaton <false.hopes at gmail.com> writes:
> update_option and add_option should escape input for you:
>
> 357 $newvalue = $wpdb->escape($newvalue);
I think that means that $newvalue will be escaped twice: once when
WordPress applies addslashes to all $_GET, $_POST, $_COOKIE, and
$_SERVER variables (wp-settings.php line 156 onwards), and once by the
escape method.
If that is so, then the correct way to handle things would be to first
use stripslashes() on $newvalue before passing it to $wpdb->escape.
--
Martin Geisler GnuPG Key: 0x7E45DD38
PHP Exif Library | PHP Weather | PHP Shell
http://pel.sf.net/ | http://phpweather.net/ | http://mgeisler.net/
Read/write Exif data | Show current weather | A shell in a browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://comox.textdrive.com/pipermail/wp-hackers/attachments/20051018/c03c15de/attachment.pgp
More information about the wp-hackers
mailing list