• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1334
  • Last Modified:

I need to Remove a escape \ from wordpress the_content() output

Hi Experts,

I am having some issues with an escape being outputted in my HTML.
I have tried a few things along the lines of preg_replace, str_replace, unescape, urldecode but I am not having any luck.

On the line below, I am output a list of Wordpress Posts, but if they have an apostrophe in the content, it is escaped.

function qrcode_showquestions() {

//shows all questions as a div based table	
	echo '<div id="qr">';
		echo '<h2>Questions</h2>';
		
		echo '<div id="qrcodequestions" class="questions">';
		
		$args = array( 'post_type' => 'qrcode_question', 'posts_per_page' => '99' );
		$loop = new WP_Query( $args );
		
		if (!$loop->have_posts()) {
			echo '<div class="questioncontainer">';
				echo '<div class="question">There are no Questions in the system at this time, please add some</div>';
			echo '</div>';
		} else {
		?><form action='' method='POST' id='qrcodeform'><?php
		while ( $loop->have_posts() ) : $loop->the_post();
			echo '<div class="questioncontainer">';
				echo '<div class="question">';
					stripslashes2(the_content());          //######## Error Line
				//echo "test";
				echo '</div>';
				echo '<div class="qrcode_button"><input type="submit" name="responses" id="res'.get_the_ID().'" value="Responses" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="answers" id="ans'.get_the_ID().'" value="Answers" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="delete" id="del'.get_the_ID().'" value="Delete" /></div>';
			echo '</div>';
		endwhile;
		?></form><?php
		} //end if 
		
		echo '<div class="addquestion">';
			add_question_box(); 
			echo '</div>';
		echo '</div>';
	echo '</div>';
} //end qrcode_question

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\'", "'", $string);
    
    return $string;
}

Open in new window


A potential reason for the error is the way it is input to Wordpress which is via this function
function add_edit_question ($question, $post_id=0)
{
	// Create post object, send $post_id to edit question
	$my_post = array(
		 'post_title' => $question,
		 'post_content' => $question,
		 'post_status' => 'publish',
		 'post_author' => $user_ID,
		 'post_type' => 'qrcode_question'
	);

	// Insert the post into the database
	return wp_insert_post( $my_post );
  
} //end add_question

Open in new window


Thoughts? Ideas?
0
Craig Lambie
Asked:
Craig Lambie
  • 3
  • 3
1 Solution
 
Terry WoodsIT GuruCommented:
It wouldn't be due to magic_quotes would it? http://nz.php.net/manual/en/security.magicquotes.what.php
0
 
Ray PaseurCommented:
You might want to have a look at this article:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

Looking at the first code snippet, you might want to substitute this for the existing code at line 39...46.  I haven't tested it but it seems right in principle.  HTH, ~Ray
function stripSlashes2($string) 
{
    while ( strpos($string, '\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}

Open in new window

0
 
Craig LambieAuthor Commented:
I thought that too, and added a line of code to the theme functions, but it didn't do anything....
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Ray PaseurCommented:
Looking again at the first code snippet, I see this on line 21.
stripslashes2(the_content());          //######## Error Line

Open in new window

From that it appears there may be two things worth changing.

Thing one might be that the stripslashes2() function provides a return value, but there is no assignment operator.  In other words, the existing code calls the function and discards the work product.

Thing two might be that the input to stripslashes2() is not located in the_content() but instead is located in $loop->the_content().  Not sure, but easy enough to test.

Taken together these two things lead me to believe that the correct code for line 21 might be something more like this.
echo stripslashes2($loop->the_content());        

Open in new window

When you are debugging it is sometimes useful to do data visualization.  You can use var_dump() to print out the contents of a variable.  Best of luck with it, ~Ray
0
 
Craig LambieAuthor Commented:
Ok, I have tried all your suggestions with no luck...
It might be something to do with how the_content() has it's own echo in the function maybe?

But here is the line that is causing the error in the "inputting" of the data to the database:
$question = trim(htmlspecialchars(mysql_real_escape_string($question)));

Open in new window


Which if I remove the mysql_real_escape_string it will invite sql injection, but also fixes my issue....

This is the line I added to functions.php in the theme to fix magic quotes:
if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );
}

Open in new window


Ray_Paseur, your function above needed an escape on the backslash to work btw.
function stripSlashes2($string) 
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}
             

Open in new window




Ok.  I have found the problem and fixed it, I tried this yesterday, but I forgot to add "echo" to the line, so thanks Ray for that one.
echo stripslashes2(get_the_content());

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\\\'", "'", $string);
    
    return $string;
}

Open in new window

0
 
Ray PaseurCommented:
Yes, I see the need for the double escape.  I don't use systems with magic quotes, so it's hard for me to test the damage that magic quotes can inflict!
See http://www.laprbass.com/RAY_temp_cclambie.php
<?php // RAY_temp_cclambie.php
error_reporting(E_ALL);
echo "<pre>";


// SHOW THE EFFECT OF ADDING SLASHES TWICE.
// YOU CAN DO THIS WITH ADDSLASHES, OR MAGIC QUOTES
// AND YOU CAN DOUBLE IT UP WITH MYSQL_REAL_ESCAPE_STRING()


function stripSlashes2($string)
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }
    return $string;
}

// CREATE A STRING WITH AN APOSTROPHE
$thing = <<<THING
O'Reilly
THING;
var_dump($thing);

// ESCAPE IT MORE THAN ONE TIME
$slash = addslashes($thing);
$slash = addslashes($slash);
var_dump($slash);

// CLEAN IT AND SEE WHAT IT SAYS
$clean = stripSlashes2($slash);
var_dump($clean);

Open in new window

0
 
Craig LambieAuthor Commented:
all fixed thanks, sorry I should of awarded when I wrote my last reply.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now