[MrLuke187]

Hi there!

I'm writing a little plugin for WordPress, which is used to create new entry's in a Notebook (also written in PHP, but not as a Plugin for WordPress). The Plugin should only create, edit and delete entry's from the Notebook (so I don't need to write a back end myself).

For the Editor, i use TinyMCE from WordPress (with the wp_tiny_mce()-function). I also use the $wpdb->prepare() function from WP to write the created entry in the Database. But the result in the Database is something like this:

Quote

<p style=\"text-align: center;\">Ich bin Zentriert</p>

As you can see, escaped HTML-Code is stored in the Database and I have no idea why. I only use the prepare() Function from WP (which is used to escape code) and than store it in the Database.

I first thought, Magic Quotes would maybe the Problem, but Magic Quotes isn't activated at all.

The code look's like this:

global $wpdb;
$wpdb->show_errors();
// Query erstellen:
$sql = 'INSERT INTO bb_eintrag (headline, datum, preview, inhalt) VALUES 
			(%s, NOW(), %s, %s)';
if (!$wpdb->query(
	$wpdb->prepare($sql, $_POST['headline'], $_POST['preview'], $_POST['inhalt'])
)){
	exit("<p>Eintrag konnte nicht erstellt werden!</p>");
}

What am I missing?

Greetings: Luke

[RudiVisser]

I'm not sure why this would be happening, but it will aid debugging if you check what the value is of the keys in $_POST.

var_dump($_POST);

Now check if there's already slashes applied, if there is, call stripslashes before passing it to $wpdb->prepare().

[MrLuke187]

You we're right, they are escaped in the $_POST[]. I don't have a clue why but they are.

After using the stripslashes-function, they aren't any more. But why are the escaped anyways?

Magic Quotes is deactivated (checked it again):


Greetings: Luke

[MrLuke187]

Okay, i got through with it:

It seams, that this isn't a bug, it's a WP-feature. WP automatically escapes everything in the $_POST-Array (no madder if Magic Quotes is activated or not).

WP also prevents a function called stripslashes_deep() (see here) which removes the slashes.

Also i went on the #wordpress IRC channel and talked to some guys. They told me not to use the function like this:

$_POST = stripslashes_deep($_POST);

Instead of doing this, use the PHP function stripslashes for the elements the plugin needs. So this is what you'll use:

$element = stripslashes($_POST['the_element']);

Anyways, THX to you RudiVisser!

Greetings: Luke

This post has been edited by MrLuke187: 04 March 2011 - 07:00 AM

[RudiVisser]

Wordpress is awesome.

[MrLuke187]

RudiVisser, on 04 March 2011 - 03:15 PM, said:

Wordpress is awesome.

No doubt about that

Greetings: Luke