php $wpdb->update 或 $wpdb->insert 导致在引号前添加斜杠
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/7341942/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
$wpdb->update or $wpdb->insert results in slashes being added in front of quotes
提问by J Lee
This question has been posed a few times in various places, but I haven't found a definative and clear answer. Most solutions involve people saying to disable Magic Quotes on the php.ini file (which I did) or modifying core WP files.
这个问题在各个地方被提出过几次,但我还没有找到一个明确而明确的答案。大多数解决方案都涉及人们说要在 php.ini 文件上禁用 Magic Quotes(我这样做了)或修改了核心 WP 文件。
Anyways, the question is this: why is it everytime I use $wpdb->insert or $wpdb->update a slash gets added before any single quote. So for instance:
无论如何,问题是:为什么每次我使用 $wpdb->insert 或 $wpdb->update 时都会在任何单引号之前添加斜杠。所以例如:
I've eaten strawberriesbecomes I\'ve eaten strawberries
我吃过草莓变成我吃过草莓
Here's a sample code I used:
这是我使用的示例代码:
$id = $_POST['id'];
$title = $_POST['title'];
$message = $_POST['message'];
$wpdb->update('table_name', array('id'=>$id, 'title'=>$title, 'message'=>$message), array('id'=>$id))
The same problem was here: Wordpress Database Output - Remove SQL Injection Escapesbut it was never solved aside from "disable magic quotes"
同样的问题在这里:Wordpress Database Output - Remove SQL Injection Escapes,但除了“禁用魔术引号”之外从未解决过
回答by J Lee
After spending the day on this, the answer is as follows:
花了一天的时间后,答案如下:
Wordpress escapes at the $_POST declaration, not at the actual insert, which is bizarre.
Wordpress 在 $_POST 声明处转义,而不是在实际插入处转义,这很奇怪。
$id = stripslashes_deep($_POST['id']); //added stripslashes_deep which removes WP escaping.
$title = stripslashes_deep($_POST['title']);
$message = stripslashes_deep($_POST['message']);
$wpdb->update('table_name', array('id'=>$id, 'title'=>$title, 'message'=>$message), array('id'=>$id));
Doing this will mean that WP will not add slashes before any quotes.
这样做意味着 WP 不会在任何引号前添加斜杠。
回答by Ryan Horrisberger
a little more info--WordPress decided to make people think they were going crazy by adding 'magic quotes' even if you've got it turned off starting in version 3.0. Any access to $_REQUEST, $_GET, $_POST, $_COOKIE, or $_SERVER will be affected. See wp-includes/load.php.
多一点信息——WordPress 决定通过添加“魔术引号”让人们认为他们疯了,即使你从 3.0 版开始关闭它。对 $_REQUEST、$_GET、$_POST、$_COOKIE 或 $_SERVER 的任何访问都会受到影响。见wp-includes/load.php。
/* Add magic quotes to $_GET, $_POST, $_COOKIE, and $_SERVER.
* @since 3.0.0
*/
function wp_magic_quotes() {
// If already slashed, strip.
if ( get_magic_quotes_gpc() ) {
$_GET = stripslashes_deep( $_GET );
$_POST = stripslashes_deep( $_POST );
$_COOKIE = stripslashes_deep( $_COOKIE );
}
// Escape with wpdb.
$_GET = add_magic_quotes( $_GET );
$_POST = add_magic_quotes( $_POST );
$_COOKIE = add_magic_quotes( $_COOKIE );
$_SERVER = add_magic_quotes( $_SERVER );
// Force REQUEST to be GET + POST.
$_REQUEST = array_merge( $_GET, $_POST );
}
回答by keithics
WordPress ignores the built in php magic quotes setting and the value of get_magic_quotes_gpc() and will always add magic quotes (even after the feature is removed from PHP in 5.4).
WordPress 会忽略内置的 php 魔术引号设置和 get_magic_quotes_gpc() 的值,并将始终添加魔术引号(即使在 5.4 中从 PHP 中删除该功能后)。
you can use this instead
你可以用这个代替
//replace $_POST with $POST
$POST = array_map( 'stripslashes_deep', $_POST);
$wpdb->insert(
'wp_mytable',
array(
'field_name' => $POST['field_name'],
'type' => $POST['type'],
'values' => serialize($POST['values']),
'unanswered_link' => $POST['unanswered_link'],
),
array(
'%s','%s','%s','%s'
)
);
WordPress does this because too much core and plugin code has come to rely on the quotes being there, so disabling quotes on the super globals (as is done in both the "Basic Example" and "Good Coding Practice" examples above) is likely to cause security holes.
WordPress 这样做是因为太多的核心和插件代码依赖于那里的引号,因此禁用超级全局变量上的引号(如上面的“基本示例”和“良好编码实践”示例中所做的那样)可能会造成安全漏洞。
http://codex.wordpress.org/Function_Reference/stripslashes_deep
http://codex.wordpress.org/Function_Reference/stripslashes_deep
