#2434 closed defect (bug) (fixed)
Linked Image + Apostrophe In Post = Database Error
Reported by: | Dave-Millercom | Owned by: | dougal |
---|---|---|---|
Milestone: | Priority: | high | |
Severity: | major | Version: | 2.0.1 |
Component: | Administration | Keywords: | image, link, database, apostrophe, attachments, sql, mysql, has-patch, needs-testing |
Focuses: | Cc: |
Description
If a new post contains both an image either "Linked To Image" or "Linked To Page" and an apostrophe anywhere in the post (') then the apostrophe is not escaped properly causing a database error.
Here's the HTML code version of a post:
<p>' <a title="Tim & Tom Just Arrived" onclick="doPopup(7);return false;" class="imagelink" rel="attachment" id="p7" href="http://www.dave-miller.com//?attachment_id=7"><img width="120" height="96" alt="Tim & Tom Just Arrived" id="image7" src="http://www.dave-miller.com/wp-uploads/2006/02/Photo-0335.thumbnail.jpg" /></a></p>
And the error when I clicked Save & Continue Editing - notice the ' is not escaped in post_content:
WordPress database error: [You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'title="Tim & Tom Just Arrived" class="imagelink" rel="attachmen] UPDATE IGNORE wp_posts SET post_author = '1', post_date = '0000-00-00 00:00:00', post_date_gmt = '0000-00-00 00:00:00', post_content = '' <a title="Tim & Tom Just Arrived" class="imagelink" rel="attachment" id="p7" onclick="doPopup(7);return false;" href="http://www.dave-miller.com/?attachment_id=7"><img width="120" height="96" alt="Tim & Tom Just Arrived" id="image7" src="http://www.dave-miller.com/wp-uploads/2006/02/Photo-0335.thumbnail.jpg" /></a>', post_content_filtered = '', post_title = 'Test', post_excerpt = '', post_status = 'draft', comment_status = 'open', ping_status = 'open', post_password = '', post_name = '', to_ping = '', pinged = '', post_modified = '2006-02-12 19:14:38', post_modified_gmt = '2006-02-12 19:14:38', post_parent = '0', menu_order = '0' WHERE ID = 15 Warning: Cannot modify header information - headers already sent by (output started at /home/.../wp-includes/wp-db.php:102) in /home/.../wp-admin/post.php on line 122
Attachments (2)
Change History (15)
#2
@
19 years ago
I finally figured out the problem was:
In admin-function.php > fix_attachment_links(), when wp_update_post($post) was called, the post contents had no slashes added, unlike in edit_post() (which calls wp_update_post($_POST)).
I added a patch for this. I hope it's in the right format - I've never made one before.
Dave
#3
@
19 years ago
Also I can't promise it doesn't have any side effects because I haven't extensively tested it. If it does, it might be better to make a copy of $post and add slashes to that instead.
#4
@
19 years ago
- Keywords attachments sql mysql added
- Owner changed from anonymous to dougal
- Priority changed from normal to high
I spent the last week trying to track down this same problem, and finally came to the same conclusion you did (see my thread on wp-testers).
I came up with a similar patch, but used the WP function addslashes_gpc()
, which automagically handles the server's magic_quotes_gpc
setting. I also added a conditional to add some protection against mangled attachment IDs.
#5
@
19 years ago
- Keywords has-patch needs-testing added
Okay, I've attached my patch (attachment-fix.diff
). Somebody please review, and if there are no objections, I'll commit it to trunk and to the 2.0 branch.
#7
@
19 years ago
- Milestone set to 2.0.2
You can get_post() as ARRAY_A and then add_magic_quotes() on the entire array before sending to wp_update_post(). We need to do that before both calls to wp_update_post(). Don't use magic_quotes_gpc() since the post data is coming from the DB, not from GPC. The post data will always be unescaped when being pulled straight from the DB.
Some info I forgot to add:
PHP 4.3.11, magic quotes & runtime off (also tried them on and got a different error)
MySQL 4.0.25-standard