Solved

I need to Remove a escape \ from wordpress the_content() output

Posted on 2012-03-24
7
1,230 Views
Last Modified: 2012-03-25
Hi Experts,

I am having some issues with an escape being outputted in my HTML.
I have tried a few things along the lines of preg_replace, str_replace, unescape, urldecode but I am not having any luck.

On the line below, I am output a list of Wordpress Posts, but if they have an apostrophe in the content, it is escaped.

function qrcode_showquestions() {

//shows all questions as a div based table	
	echo '<div id="qr">';
		echo '<h2>Questions</h2>';
		
		echo '<div id="qrcodequestions" class="questions">';
		
		$args = array( 'post_type' => 'qrcode_question', 'posts_per_page' => '99' );
		$loop = new WP_Query( $args );
		
		if (!$loop->have_posts()) {
			echo '<div class="questioncontainer">';
				echo '<div class="question">There are no Questions in the system at this time, please add some</div>';
			echo '</div>';
		} else {
		?><form action='' method='POST' id='qrcodeform'><?php
		while ( $loop->have_posts() ) : $loop->the_post();
			echo '<div class="questioncontainer">';
				echo '<div class="question">';
					stripslashes2(the_content());          //######## Error Line
				//echo "test";
				echo '</div>';
				echo '<div class="qrcode_button"><input type="submit" name="responses" id="res'.get_the_ID().'" value="Responses" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="answers" id="ans'.get_the_ID().'" value="Answers" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="delete" id="del'.get_the_ID().'" value="Delete" /></div>';
			echo '</div>';
		endwhile;
		?></form><?php
		} //end if 
		
		echo '<div class="addquestion">';
			add_question_box(); 
			echo '</div>';
		echo '</div>';
	echo '</div>';
} //end qrcode_question

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\'", "'", $string);
    
    return $string;
}

Open in new window


A potential reason for the error is the way it is input to Wordpress which is via this function
function add_edit_question ($question, $post_id=0)
{
	// Create post object, send $post_id to edit question
	$my_post = array(
		 'post_title' => $question,
		 'post_content' => $question,
		 'post_status' => 'publish',
		 'post_author' => $user_ID,
		 'post_type' => 'qrcode_question'
	);

	// Insert the post into the database
	return wp_insert_post( $my_post );
  
} //end add_question

Open in new window


Thoughts? Ideas?
0
Comment
Question by:Craig Lambie
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Terry Woods
ID: 37762058
It wouldn't be due to magic_quotes would it? http://nz.php.net/manual/en/security.magicquotes.what.php
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37762444
You might want to have a look at this article:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

Looking at the first code snippet, you might want to substitute this for the existing code at line 39...46.  I haven't tested it but it seems right in principle.  HTH, ~Ray
function stripSlashes2($string) 
{
    while ( strpos($string, '\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}

Open in new window

0
 
LVL 1

Author Comment

by:Craig Lambie
ID: 37762447
I thought that too, and added a line of code to the theme functions, but it didn't do anything....
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 110

Accepted Solution

by:
Ray Paseur earned 350 total points
ID: 37762479
Looking again at the first code snippet, I see this on line 21.
stripslashes2(the_content());          //######## Error Line

Open in new window

From that it appears there may be two things worth changing.

Thing one might be that the stripslashes2() function provides a return value, but there is no assignment operator.  In other words, the existing code calls the function and discards the work product.

Thing two might be that the input to stripslashes2() is not located in the_content() but instead is located in $loop->the_content().  Not sure, but easy enough to test.

Taken together these two things lead me to believe that the correct code for line 21 might be something more like this.
echo stripslashes2($loop->the_content());        

Open in new window

When you are debugging it is sometimes useful to do data visualization.  You can use var_dump() to print out the contents of a variable.  Best of luck with it, ~Ray
0
 
LVL 1

Author Comment

by:Craig Lambie
ID: 37763655
Ok, I have tried all your suggestions with no luck...
It might be something to do with how the_content() has it's own echo in the function maybe?

But here is the line that is causing the error in the "inputting" of the data to the database:
$question = trim(htmlspecialchars(mysql_real_escape_string($question)));

Open in new window


Which if I remove the mysql_real_escape_string it will invite sql injection, but also fixes my issue....

This is the line I added to functions.php in the theme to fix magic quotes:
if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );
}

Open in new window


Ray_Paseur, your function above needed an escape on the backslash to work btw.
function stripSlashes2($string) 
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}
             

Open in new window




Ok.  I have found the problem and fixed it, I tried this yesterday, but I forgot to add "echo" to the line, so thanks Ray for that one.
echo stripslashes2(get_the_content());

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\\\'", "'", $string);
    
    return $string;
}

Open in new window

0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 37763762
Yes, I see the need for the double escape.  I don't use systems with magic quotes, so it's hard for me to test the damage that magic quotes can inflict!
See http://www.laprbass.com/RAY_temp_cclambie.php
<?php // RAY_temp_cclambie.php
error_reporting(E_ALL);
echo "<pre>";


// SHOW THE EFFECT OF ADDING SLASHES TWICE.
// YOU CAN DO THIS WITH ADDSLASHES, OR MAGIC QUOTES
// AND YOU CAN DOUBLE IT UP WITH MYSQL_REAL_ESCAPE_STRING()


function stripSlashes2($string)
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }
    return $string;
}

// CREATE A STRING WITH AN APOSTROPHE
$thing = <<<THING
O'Reilly
THING;
var_dump($thing);

// ESCAPE IT MORE THAN ONE TIME
$slash = addslashes($thing);
$slash = addslashes($slash);
var_dump($slash);

// CLEAN IT AND SEE WHAT IT SAYS
$clean = stripSlashes2($slash);
var_dump($clean);

Open in new window

0
 
LVL 1

Author Closing Comment

by:Craig Lambie
ID: 37763964
all fixed thanks, sorry I should of awarded when I wrote my last reply.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question