Title: Why escape HTML before escaping SQL? Last modified: August 31, 2016 --- # Why escape HTML before escaping SQL? * Resolved [teresax](https://wordpress.org/support/users/teresax/) * (@teresax) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/) * Can you remove the filter wp_kses? * ``` //Line 293 class.WpdiscuzCore.php $comment_content = wp_kses(trim($wc_comment), $this->helper->wc_allowed_tags); //Line 421 class.WpdiscuzCore.php 'comment_content' => apply_filters('pre_comment_content', $commentContent), ``` * …Or add new hooks or filters for developers * Thanks a lot! Best plugin ever!. * [https://wordpress.org/plugins/wpdiscuz/](https://wordpress.org/plugins/wpdiscuz/) Viewing 8 replies - 1 through 8 (of 8 total) * Plugin Author [gVectors Team](https://wordpress.org/support/users/gvectors-team/) * (@gvectors-team) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906505) * Thank you teresax, wp_kses() is the main content protection for website owners. It filters all unnecessary HTML codes. I’m sorry but we can’t remove it, it’ll bring lots of security issues. A new filter hook can’t avoid wp_kses(), because the final comment content should always be filtered by wp_kses(). * Thread Starter [teresax](https://wordpress.org/support/users/teresax/) * (@teresax) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906513) * **Thanks for the reply** * The main problem is that If I write: `\\` I get `\` it’s not normal, don’t you think? * **This is what the code says:** * _wp\_new\_comment_ * > Filters new comment to ensure that the fields are sanitized and valid before > inserting comment into database. Calls ‘comment_post’ action with comment ID > and whether comment is approved by WordPress. Also has ‘preprocess_comment’ > filter for processing the comment data before the function handles it. * _wp\_update\_comment_ * > Filters the comment and makes sure certain fields are valid before updating. * Plugin Author [gVectors Team](https://wordpress.org/support/users/gvectors-team/) * (@gvectors-team) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906543) * Ok, Thank you teresax, we’ll check this. If I got some news I’ll update this topic. * [Frankie](https://wordpress.org/support/users/frankiet/) * (@frankiet) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906551) * Hi guys. This is not to be underestimated considering the importance of the writing… * Wp uses PDO there is no need to escape data if you use prepaired statements ( wp_new_comment,wp_update_comment…). Moreover WordPress automatically adds slashes to all POST data… * Maybe you could try a similar thing to check if that really is the problem? * ``` $wpdz = isset($_POST['wpdiscuzAjaxData']) ? $_POST['wpdiscuzAjaxData'] : ''; parse_str($wpdz, $wpdz_out); $comment_content = isset($wpdz_out['wc_comment']) ? ($wpdz_out['wc_comment']) : ''; ``` * OR * ``` $wpdz = isset($_POST['wpdiscuzAjaxData']) ? ($_POST['wpdiscuzAjaxData']) : ''; parse_str($wpdz, $wpdz_out); $comment_content = isset($wpdz_out['wc_comment']) ? wp_unslash($wpdz_out['wc_comment']) : ''; ``` * OR * ``` $wpdz = isset($_POST['wpdiscuzAjaxData']) ? wp_unslash($_POST['wpdiscuzAjaxData']) : ''; parse_str($wpdz, $wpdz_out); $comment_content = isset($wpdz_out['wc_comment']) ? ($wpdz_out['wc_comment']) : ''; ``` * Frankie. * [Frankie](https://wordpress.org/support/users/frankiet/) * (@frankiet) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906552) * see the image [http://i.imgur.com/5WD6o2O.jpg](http://i.imgur.com/5WD6o2O.jpg) * Plugin Author [gVectors Team](https://wordpress.org/support/users/gvectors-team/) * (@gvectors-team) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906587) * Ok, thank you frankiet, we’ll check and fix this issue. * Thread Starter [teresax](https://wordpress.org/support/users/teresax/) * (@teresax) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906658) * Is there any news? * Plugin Author [gVectors Team](https://wordpress.org/support/users/gvectors-team/) * (@gvectors-team) * [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906661) * This problem is fixed, please wait for the next version, it’ll be released very soon. Viewing 8 replies - 1 through 8 (of 8 total) The topic ‘Why escape HTML before escaping SQL?’ is closed to new replies. * ![](https://ps.w.org/wpdiscuz/assets/icon-256x256.png?rev=1076265) * [Comments - wpDiscuz](https://wordpress.org/plugins/wpdiscuz/) * [Frequently Asked Questions](https://wordpress.org/plugins/wpdiscuz/#faq) * [Support Threads](https://wordpress.org/support/plugin/wpdiscuz/) * [Active Topics](https://wordpress.org/support/plugin/wpdiscuz/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/wpdiscuz/unresolved/) * [Reviews](https://wordpress.org/support/plugin/wpdiscuz/reviews/) * 8 replies * 3 participants * Last reply from: [gVectors Team](https://wordpress.org/support/users/gvectors-team/) * Last activity: [10 years, 5 months ago](https://wordpress.org/support/topic/why-escape-html-before-escaping-sql/#post-6906661) * Status: resolved