[wp-hackers] Escaping post meta values

Dan Phiffer dan at phiffer.org
Wed May 22 16:29:05 UTC 2013


On May 22, 2013, at 11:58 AM, Andrew Nacin <wp at andrewnacin.com> wrote:

> On May 22, 2013 11:55 AM, "Otto" <otto at ottodestruct.com> wrote:
>> 
>> On Wed, May 22, 2013 at 10:46 AM, Dan Phiffer <dan at phiffer.org> wrote:
>>> Hi wp-hackers,
>>> 
>>> What's the deal with post meta value escaping? I didn't see any mention
> of it in the documentation, but it seems important if you're ever going to
> store JSON data in the postmeta table (i.e., {"key":"value with \"quotes\"
> in the content."})
>> 
>> The meta functions expect unescaped data to be sent to them.
> 
> Just to add to this, this is stupid. See
> http://core.trac.wordpress.org/ticket/21767.
> 
>> Basically, meaning that you shouldn't be storing JSON data directly,
>> but instead storing the PHP form of the data. So, json_decode it
>> before saving it as meta, then json_encode it if you need to send it
>> back to a browser or elsewhere.
> 
> I'd agree this is a pretty good workaround. PHP can serialize what is
> effectively superset of JSON.

"What? JSON you say? Who would ever think to use *that* for encoding metadata?"

I would argue this is insane behavior to create a workaround for, but in the meantime I think the docs should clearly explain what the deal is. As soon as I re-encode the hundreds of post metadata entries I've stored from Flickr/Instagram/Twitter I'll see about helping the next person avoid my fate.

Thanks list!
Dan



More information about the wp-hackers mailing list