attribute_escape() versus $wpdb->escape()

  • I was reading a security article that mentioned using attribute_escape() on any form input that was going to be displayed back to the user so as to remove the possibility of exploit code being run. I was wondering though if you use $wpdb->escape() on form data that will be put in the database, do you also need to use attribute_escape() on the same data if it will also be shown to the user after the database write is done, or are both of these functions doing the same thing essentially but for different reasons? (one on data not related specifically to the database, the other for data definitely going to the database).

    I don’t want to unnecessarily run data through extra functions if it isn’t required or is already successfully processed to remove problems.

Viewing 7 replies - 1 through 7 (of 7 total)

  • Correct. Imagine you entered this malicious text as your website URL in a profile:

    https://www.google.com/" onclick="alert('Hey!')

    If you echoed it like this:

    <a href="<?php echo $url ?>">

    This would result:

    <a href="https://www.google.com/" onclick="alert('Hey!')">

    But if you escaped it with attribute_escape() before echoing it, that would fix it.

    Re-reading your post, it seems you were asking whether you should attribute_escape() everything. My understanding is that you should only do it to data being put into the attribute of an HTML element. However, no matter where you’re echoing it, you should also htmlentities() it.

    Thread Starter harknell

    (@harknell)

    Ok, to be clear on one note: If I have just read information out of the database and used $wpdb->escape() on it when it was added to the database and also removed, do I also have to run the data through something else or is that good enough? I’m not talking about parroting back input to the user immediately, I’m talking information that is coming strictly out of the database.

    Nope, you don’t need to “unescape” it if it’s coming out of the database.

    Although you may need to do some unescaping if magic_quotes is turned on (don’t worry, WordPress does that automatically, though).

    no WordPress just do the contrary, escapes everything if magic_quotes is tuned off.

    from wp-settings.php:

    // Escape with wpdb.
    $_GET = add_magic_quotes($_GET );
    $_POST = add_magic_quotes($_POST );
    $_COOKIE = add_magic_quotes($_COOKIE);
    $_SERVER = add_magic_quotes($_SERVER);

    in fact I even don’t know why is needed to escape everything before querying when WordPress do it anyway.

    Agreed. Using this function, and with magic_quotes_gpc=Off in php.ini, I see “double quoting” of “Harriet’s Adages” stored in the DB as “Harriet\’s Adages”. ???

    function recordBooksWanted() {
  // we are logged in by now, either by magic registration or login
    global $current_user, $wpdb ;
    if ( isset($_POST['book_title']) ) {
      for ( $i = 0 ; $i < sizeof($_POST['book_title']) ; $i++ ) {
        if ( $_POST['book_title'][$i] != '' ||
             $_POST['book_author'][$i] != '' ) {
          $cols['user_id'] = $current_user->ID ;
          if ( $_POST['book_title'][$i] != '' ) {
            $cols['title'] = $wpdb->Escape($_POST['book_title'][$i]) ;
          }
          if ( $_POST['book_author'][$i] != '' ) {
            $cols['author'] = $wpdb->Escape($_POST['book_author'][$i]) ;
          }
          $sql = 'INSERT INTO ' . $wpdb->prefix . 'books_wanted ' .
            '( ' . implode(',', array_keys($cols)) . ') VALUES ' .
            "( '" . implode("','", array_values($cols)) . "')" ;
          $wpdb->Query($sql);
        }
      }
    }
  }
Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘attribute_escape() versus $wpdb->escape()’ is closed to new replies.