error: wpdb::escape is deprecated

  • Resolved baptx

    (@baptx)


    8 years, 7 months ago

    There is an error message when we press the submit button:

    PHP Notice: wpdb::escape is <strong>deprecated</strong> since version 3.6.0! Use wpdb::prepare() or esc_sql() instead. in /var/www/html/wordpress/wp-includes/functions.php on line 3831, referer: http://localhost/wordpress/wp-admin/admin.php?page=bpmemberonly

Viewing 5 replies - 1 through 5 (of 5 total)
  • Plugin Author Tomas

    (@zhuyi)

    8 years, 7 months ago

    Hi,

    Thanks for the message. 🙂

    I will change it and release a new version. 🙂

    Thanks, have a good day. 🙂

    Best Regards,
    Tomas

    Thread Starter baptx

    (@baptx)

    8 years, 7 months ago

    Hi, I also noticed that the field “Opened Page URLs” cannot be reset because empty values are not saved. Have a good day.

    Plugin Author Tomas

    (@zhuyi)

    8 years, 7 months ago

    Hi @baptx

    I have released the new version 1.8.3:
    Use function esc_url to replace deprecated function escape
    Use wordpress nonce security to improve site security

    I will check your another question and if there are problem I will release a new version to fix it. 🙂

    Thanks, have a good day. 🙂

    Best Regards,
    Tomas

    Thread Starter baptx

    (@baptx)

    8 years, 6 months ago

    Thanks, I reopened the topic for the other problem. I don’t know if we can edit the title to add the informations.
    Good point for the security, I did not think to check your plugin for CSRF 🙂
    Now I tested XSS and found a security vulnerability: “</textarea><script>alert(1);</script><textarea>” :/ You should prevent this with a PHP function like htmlspecialchars.

    • This reply was modified 8 years, 6 months ago by baptx.
    • This reply was modified 8 years, 6 months ago by baptx.
    • This reply was modified 8 years, 6 months ago by baptx.
    Plugin Author Tomas

    (@zhuyi)

    8 years, 6 months ago

    Hi @baptx,

    Thanks for the message. 🙂

    Yes, you are right. follow your suggestion, I have released a new version to enhance the security of our plugin:
    = Version 1.8.5 =
    Use wordpress sanitize_textarea_field to improve site security
    Opened Page URLs list can be deleted fully

    Reference of sanitize_textarea_field can be found at
    https://developer.ww.wp.xz.cn/reference/functions/sanitize_textarea_field/

    sanitize_textarea_field will:
    # Converts single < characters to entities
    # Strips all tags

    So codes like “</textarea><script>alert(1);</script><textarea>” will be removed from $_POST and avoid XSS attack. 🙂

    Thank you very much for the suggestion, any more feature request is super welcome. 🙂

    Have a blessings day with your family. 🙂

    Best Regards,
    Tomas

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘error: wpdb::escape is deprecated’ is closed to new replies.