[wp-hackers] escape data before db insert?

Brian Layman Brian at TheCodeCave.com
Wed Jan 17 19:12:17 GMT 2007

I don't qualify as being from the core team but until one of them gets back
to you, I can tell you that if you look at wp-settings.php, you can see that
it cleans all of the _get _post _cookie and _server content:

// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
    $_GET    = stripslashes_deep($_GET   );
    $_POST   = stripslashes_deep($_POST  );
    $_COOKIE = stripslashes_deep($_COOKIE);

// Escape with wpdb.
$_GET    = add_magic_quotes($_GET   );
$_POST   = add_magic_quotes($_POST  );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);

So, if your plugin is being activated by WordPress hooks and functions, your
data will already be clean.  Where someone can get into trouble is their
plugin is called seperately from WordPress. If someone can type the name of
your php file and add on whatever parameters it needs, your plugin is then
acting outside of WordPress's protection.  It is completely independent, at
that point, and must not only provide the slash protection, but also the
security checks required to make certain the action being performed is done
by someone having the required rights.  Always test your plugin files to see
what happens when they are called independently with $_GET and/or $_POST
values specified.  If you don't try it, someone else surely will.  

Brian Layman

More information about the wp-hackers mailing list