[wp-hackers] wordpress and addslashes

Scott Taylor scott.c.taylor at mac.com
Wed Aug 8 19:52:18 UTC 2012


you have to use stripslashes everywhere, it gets insane - if you aren't careful, it will mess with your Cookies as well

If you implement custom auth, you have to know that WordPress stores slashed passwords, hashed in the database - and if you are checking username and password in wp_authenticate, you have to call stripslashes on the arguments passed

And if you are checking your Cookies for email, username or password against another authentication service, you need to stripslashes_deep your Cookies in the 'sanitize_comment_cookies' action 

-- 
Scott Taylor
Musician / Software Engineer
160 West End Ave #2H
New York, NY 10023


On Wednesday, August 8, 2012 at 3:46 PM, Haluk Karamete wrote:

> I just noticed that in a standalone PHP page when I do
> 
> echo $_GET['x'];
> 
> I get "O'Reilly" when x is passed as "O'Reilly".
> 
> But when I load the wordpress code using define('WP_USE_THEMES', false),
> 
> I end up getting "O\'Reilly" for the same input. The ' is escaped by \'.
> 
> This tells me Wordpress does use "addslashes" automatically to all the
> GET/POST/COOKIES super globals.
> 
> I'm just curious; Isn't the use of addslashes functionality being
> discouraged by the more recent versions of PHP? Why does WP have it
> then?
> 
> And my second question is what should do plug in authors do? Apply
> stripslashes? Are there any other undo's ( like addslashes to be
> undone with stripslashes ) that I need to worry about when I read data
> for my plug in code?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com (mailto:wp-hackers at lists.automattic.com)
> http://lists.automattic.com/mailman/listinfo/wp-hackers
> 
> 




More information about the wp-hackers mailing list