Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#9189 closed defect (bug) (fixed)

add_magic_quotes now double-escaping post content when saving

Reported by: filosofo Owned by:
Milestone: 2.8 Priority: highest omg bbq
Severity: normal Version: 2.8
Component: General Keywords:
Focuses: Cc:


[10597] introduced the use of mysql_real_escape_string() in wpdb's escape() method.

However, when you save a post the content gets double-escaped, which means that line breaks are turned into \r\n and then \\r\\n.

The first escape is in wp-settings.php where applies add_magic_quotes() to $_POST.

The second is in wp_update_post() which applies it to the post content (wp_update_post() is called by edit_post()).

Then wp_update_post() calls wp_insert_post(), which calls stripslashes_deep(), so we end up with rn.

Change History (4)

comment:1 mrmist5 years ago

  • Keywords needs-patch added
  • Version set to 2.8

Confirmed against multiple installations.

comment:2 ryan5 years ago

(In [10604]) Use mysql_real_escape_string() only in prepare(), insert(), and update(). escape() uses addslashes only. Add array support to escape(). see #9189

comment:3 ryan5 years ago

  • Resolution set to fixed
  • Status changed from new to closed

comment:4 hakre4 years ago

  • Keywords add_magic_quotes mysql_real_escape_string needs-patch removed


  • #1394 - add_slashes() does not escape all database input correctly
  • #11819 - Use mysql_real_escape_string instead of addslashes
Note: See TracTickets for help on using tickets.