Correct. Imagine you entered this malicious text as your website URL in a profile:
http://www.google.com/" onclick="alert('Hey!')
If you echoed it like this:
<a href="<?php echo $url ?>">
This would result:
<a href="http://www.google.com/" onclick="alert('Hey!')">
But if you escaped it with attribute_escape() before echoing it, that would fix it.
Re-reading your post, it seems you were asking whether you should attribute_escape() everything. My understanding is that you should only do it to data being put into the attribute of an HTML element. However, no matter where you’re echoing it, you should also htmlentities() it.
Ok, to be clear on one note: If I have just read information out of the database and used $wpdb->escape() on it when it was added to the database and also removed, do I also have to run the data through something else or is that good enough? I’m not talking about parroting back input to the user immediately, I’m talking information that is coming strictly out of the database.
Nope, you don’t need to “unescape” it if it’s coming out of the database.
Although you may need to do some unescaping if magic_quotes is turned on (don’t worry, WordPress does that automatically, though).
no WordPress just do the contrary, escapes everything if magic_quotes is tuned off.
from wp-settings.php:
// Escape with wpdb.
$_GET = add_magic_quotes($_GET );
$_POST = add_magic_quotes($_POST );
$_COOKIE = add_magic_quotes($_COOKIE);
$_SERVER = add_magic_quotes($_SERVER);
in fact I even don’t know why is needed to escape everything before querying when WordPress do it anyway.
Agreed. Using this function, and with magic_quotes_gpc=Off in php.ini, I see “double quoting” of “Harriet’s Adages” stored in the DB as “Harriet\’s Adages”. ???
function recordBooksWanted() {
// we are logged in by now, either by magic registration or login
global $current_user, $wpdb ;
if ( isset($_POST['book_title']) ) {
for ( $i = 0 ; $i < sizeof($_POST['book_title']) ; $i++ ) {
if ( $_POST['book_title'][$i] != '' ||
$_POST['book_author'][$i] != '' ) {
$cols['user_id'] = $current_user->ID ;
if ( $_POST['book_title'][$i] != '' ) {
$cols['title'] = $wpdb->Escape($_POST['book_title'][$i]) ;
}
if ( $_POST['book_author'][$i] != '' ) {
$cols['author'] = $wpdb->Escape($_POST['book_author'][$i]) ;
}
$sql = 'INSERT INTO ' . $wpdb->prefix . 'books_wanted ' .
'( ' . implode(',', array_keys($cols)) . ') VALUES ' .
"( '" . implode("','", array_values($cols)) . "')" ;
$wpdb->Query($sql);
}
}
}
}
