$conf, $runtime; function_exists('chdir') AND chdir(APP_PATH); $r = 'mysql' == $conf['cache']['type'] ? website_set('runtime', $runtime) : cache_set('runtime', $runtime); } function runtime_truncate() { global $conf; 'mysql' == $conf['cache']['type'] ? website_set('runtime', '') : cache_delete('runtime'); } register_shutdown_function('runtime_save'); ?>plugin development - How to properly sanitize strings for update_option()|Programmer puzzle solving

Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>plugin development - How to properly sanitize strings for update_option()

    plugin development - How to properly sanitize strings for update_option()

    matteradmin8PV0评论

    I've tried to import an option value via update_options($name, $value) where $value has special characters (like apostrophe's for example) and I've noticed that the apostrophe gets stripped out of the text before it reaches the database.

    What is the suggested sanitization of strings prior to sending them to update_options()?

    I've tried to import an option value via update_options($name, $value) where $value has special characters (like apostrophe's for example) and I've noticed that the apostrophe gets stripped out of the text before it reaches the database.

    What is the suggested sanitization of strings prior to sending them to update_options()?

    • plugin-development
    • options
    Share Improve this question asked Jul 13, 2011 at 16:28 N2MysticN2Mystic 3,1937 gold badges47 silver badges72 bronze badges 2
    • It should work with apostrophes just fine. This seems like a configuration issue or bug introduced by something, rather than native behavior. Note that inline documentation states that update_option() explicitly expects input to not be SQL-escaped. – Rarst Commented Jul 13, 2011 at 18:49
    • could you please include specific example? It's waste of time to guess. :) – Rarst Commented Jul 13, 2011 at 20:50
    Add a comment  | 

    3 Answers 3

    Reset to default 4

    Try esc_html( $string ) (Codex ref), which among other things encodes single- and double-quotes.

    For further reference, see the Data Validation entry in the Codex.

    You should not use esc functions for data that's going into the database. esc functions are for output only.

    The update_option() function sanitizes for you, so there's no need to run any extra san functions.

    I can't comment on Chris Flannagans answers so... update_options() does not sanitize all options. Some core options are sanitized, but custom option are not. You must sanitize the input yourself.

    https://www.wordfence/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far