Solved

I need to Remove a escape \ from wordpress the_content() output

Posted on 2012-03-24
7
1,194 Views
Last Modified: 2012-03-25
Hi Experts,

I am having some issues with an escape being outputted in my HTML.
I have tried a few things along the lines of preg_replace, str_replace, unescape, urldecode but I am not having any luck.

On the line below, I am output a list of Wordpress Posts, but if they have an apostrophe in the content, it is escaped.

function qrcode_showquestions() {

//shows all questions as a div based table	
	echo '<div id="qr">';
		echo '<h2>Questions</h2>';
		
		echo '<div id="qrcodequestions" class="questions">';
		
		$args = array( 'post_type' => 'qrcode_question', 'posts_per_page' => '99' );
		$loop = new WP_Query( $args );
		
		if (!$loop->have_posts()) {
			echo '<div class="questioncontainer">';
				echo '<div class="question">There are no Questions in the system at this time, please add some</div>';
			echo '</div>';
		} else {
		?><form action='' method='POST' id='qrcodeform'><?php
		while ( $loop->have_posts() ) : $loop->the_post();
			echo '<div class="questioncontainer">';
				echo '<div class="question">';
					stripslashes2(the_content());          //######## Error Line
				//echo "test";
				echo '</div>';
				echo '<div class="qrcode_button"><input type="submit" name="responses" id="res'.get_the_ID().'" value="Responses" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="answers" id="ans'.get_the_ID().'" value="Answers" /></div>';
				echo '<div class="qrcode_button"><input type="submit" name="delete" id="del'.get_the_ID().'" value="Delete" /></div>';
			echo '</div>';
		endwhile;
		?></form><?php
		} //end if 
		
		echo '<div class="addquestion">';
			add_question_box(); 
			echo '</div>';
		echo '</div>';
	echo '</div>';
} //end qrcode_question

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\'", "'", $string);
    
    return $string;
}

Open in new window


A potential reason for the error is the way it is input to Wordpress which is via this function
function add_edit_question ($question, $post_id=0)
{
	// Create post object, send $post_id to edit question
	$my_post = array(
		 'post_title' => $question,
		 'post_content' => $question,
		 'post_status' => 'publish',
		 'post_author' => $user_ID,
		 'post_type' => 'qrcode_question'
	);

	// Insert the post into the database
	return wp_insert_post( $my_post );
  
} //end add_question

Open in new window


Thoughts? Ideas?
0
Comment
Question by:Craig Lambie
  • 3
  • 3
7 Comments
 
LVL 35

Expert Comment

by:Terry Woods
Comment Utility
It wouldn't be due to magic_quotes would it? http://nz.php.net/manual/en/security.magicquotes.what.php
0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
You might want to have a look at this article:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_6630-Magic-Quotes-a-bad-idea-from-day-one.html

Looking at the first code snippet, you might want to substitute this for the existing code at line 39...46.  I haven't tested it but it seems right in principle.  HTH, ~Ray
function stripSlashes2($string) 
{
    while ( strpos($string, '\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}

Open in new window

0
 
LVL 1

Author Comment

by:Craig Lambie
Comment Utility
I thought that too, and added a line of code to the theme functions, but it didn't do anything....
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 108

Accepted Solution

by:
Ray Paseur earned 350 total points
Comment Utility
Looking again at the first code snippet, I see this on line 21.
stripslashes2(the_content());          //######## Error Line

Open in new window

From that it appears there may be two things worth changing.

Thing one might be that the stripslashes2() function provides a return value, but there is no assignment operator.  In other words, the existing code calls the function and discards the work product.

Thing two might be that the input to stripslashes2() is not located in the_content() but instead is located in $loop->the_content().  Not sure, but easy enough to test.

Taken together these two things lead me to believe that the correct code for line 21 might be something more like this.
echo stripslashes2($loop->the_content());        

Open in new window

When you are debugging it is sometimes useful to do data visualization.  You can use var_dump() to print out the contents of a variable.  Best of luck with it, ~Ray
0
 
LVL 1

Author Comment

by:Craig Lambie
Comment Utility
Ok, I have tried all your suggestions with no luck...
It might be something to do with how the_content() has it's own echo in the function maybe?

But here is the line that is causing the error in the "inputting" of the data to the database:
$question = trim(htmlspecialchars(mysql_real_escape_string($question)));

Open in new window


Which if I remove the mysql_real_escape_string it will invite sql injection, but also fixes my issue....

This is the line I added to functions.php in the theme to fix magic quotes:
if ( get_magic_quotes_gpc() ) {
    $_POST      = array_map( 'stripslashes_deep', $_POST );
    $_GET       = array_map( 'stripslashes_deep', $_GET );
    $_COOKIE    = array_map( 'stripslashes_deep', $_COOKIE );
    $_REQUEST   = array_map( 'stripslashes_deep', $_REQUEST );
}

Open in new window


Ray_Paseur, your function above needed an escape on the backslash to work btw.
function stripSlashes2($string) 
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }    
    return $string;
}
             

Open in new window




Ok.  I have found the problem and fixed it, I tried this yesterday, but I forgot to add "echo" to the line, so thanks Ray for that one.
echo stripslashes2(get_the_content());

function stripslashes2($string) {
    $string = str_replace("\\\"", "", $string);
	$string = str_replace("\\\\", "", $string);
    $string = str_replace("\\'", "'", $string);
	$string = str_replace("\\\'", "'", $string);
    
    return $string;
}

Open in new window

0
 
LVL 108

Expert Comment

by:Ray Paseur
Comment Utility
Yes, I see the need for the double escape.  I don't use systems with magic quotes, so it's hard for me to test the damage that magic quotes can inflict!
See http://www.laprbass.com/RAY_temp_cclambie.php
<?php // RAY_temp_cclambie.php
error_reporting(E_ALL);
echo "<pre>";


// SHOW THE EFFECT OF ADDING SLASHES TWICE.
// YOU CAN DO THIS WITH ADDSLASHES, OR MAGIC QUOTES
// AND YOU CAN DOUBLE IT UP WITH MYSQL_REAL_ESCAPE_STRING()


function stripSlashes2($string)
{
    while ( strpos($string, '\\') !== FALSE)
    {
        $string = stripSlashes($string);
    }
    return $string;
}

// CREATE A STRING WITH AN APOSTROPHE
$thing = <<<THING
O'Reilly
THING;
var_dump($thing);

// ESCAPE IT MORE THAN ONE TIME
$slash = addslashes($thing);
$slash = addslashes($slash);
var_dump($slash);

// CLEAN IT AND SEE WHAT IT SAYS
$clean = stripSlashes2($slash);
var_dump($clean);

Open in new window

0
 
LVL 1

Author Closing Comment

by:Craig Lambie
Comment Utility
all fixed thanks, sorry I should of awarded when I wrote my last reply.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

WordPress is constantly evolving, and with each evolution appears to get better and better.  One of the big drawbacks prior to version 3 was that there was no way to be able to set up a custom menu from the backend. The Old Way Adding menus is…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
The purpose of this video is to demonstrate how to Test the speed of a WordPress Website. Site Speed is an important metric of a site’s health. Slow site speed can result in viewers leaving your site quickly and not seeing your content. This…
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now