[wp-hackers] Re: wordpress options and security

Martin Geisler mgeisler at mgeisler.net
Tue Oct 18 20:39:59 GMT 2005

Robert Deaton <false.hopes at gmail.com> writes:

> update_option and add_option should escape input for you:
>  357      $newvalue = $wpdb->escape($newvalue);

I think that means that $newvalue will be escaped twice: once when
WordPress applies addslashes to all $_GET, $_POST, $_COOKIE, and
$_SERVER variables (wp-settings.php line 156 onwards), and once by the
escape method.

If that is so, then the correct way to handle things would be to first
use stripslashes() on $newvalue before passing it to $wpdb->escape.

Martin Geisler                                     GnuPG Key: 0x7E45DD38

PHP Exif Library      |  PHP Weather             |  PHP Shell
http://pel.sf.net/    |  http://phpweather.net/  |  http://mgeisler.net/
Read/write Exif data  |  Show current weather    |  A shell in a browser
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
Url : http://comox.textdrive.com/pipermail/wp-hackers/attachments/20051018/c03c15de/attachment.pgp

More information about the wp-hackers mailing list