Ticket #914 (closed defect (bug): fixed)

Opened 4 years ago

Last modified 2 years ago

wrong search string escaping/slashes

Reported by: nbachiyski Assigned to: ryan
Priority: normal Milestone: 2.1
Component: Template Version: 2.0.7
Severity: minor Keywords: has-patch commit
Cc: daniel@acceleration.net

Description

Search for ' and \\\' will appear in the input field. " -> \\\ & -> &

Attachments

search-slashes.diff (2.2 kB) - added by nbachiyski on 05/21/05 06:34:45.
914.diff (1.9 kB) - added by mdawaffe on 08/31/06 17:31:50.
give it an template tag

Change History

02/19/05 04:16:20 changed by nbachiyski

  • Patch set to No.

02/25/05 10:57:53 changed by nbachiyski

In classes.php $qs? is added slashes again, despite the fact that is has passed through add_magic_quotes function before.

For database use the search string needs slashes, but when writing it to the templates is does not. I have added striptags calls in the template pages.

02/25/05 15:49:09 changed by ryan

  • Patch changed from No to Yes.

03/02/05 15:52:47 changed by ryan

  • owner changed from anonymous to rboren.
  • status changed from new to assigned.

03/02/05 16:02:01 changed by ryan

Even if we get rid of the extra addslashes, searches will still show a single set of slashes. \' instead of \\\'. We can either add stripslashes to Kubrick's templates, or not addslashes by default when processing GPC in the blog header. Not adding slashes by default and instead relying on those functions that query the DB to addslashes as appropriate seems to be the cleanest way to do this, but that should wait until after 1.5.1.

03/02/05 16:15:16 changed by nbachiyski

I also prefer not adding slashes by default and escape strings only for DB operations.

Now, as I understand, the choice is between leaving the bug in 1.5.1 or applying the dirty "stripslashes in Kubrick" hack before reorganizing all that code. My choice was the second.

Which is the less evil of the two?

05/21/05 06:34:45 changed by nbachiyski

  • attachment search-slashes.diff added.

06/02/05 21:16:52 changed by dwc

  • cc set to daniel@acceleration.net.

08/31/06 17:31:50 changed by mdawaffe

  • attachment 914.diff added.

give it an template tag

08/31/06 17:32:57 changed by mdawaffe

  • keywords set to has-patch commit.
  • milestone set to 2.1.

914.diff

  1. create wp_search_query() template tag which echos the query.

09/07/06 04:40:54 changed by ryan

Whatcha think, wp_search_query() or the_search_query()? Or maybe just the_search()? These are important questions. :-)

09/07/06 12:33:36 changed by markjaquith

the_search_query() or search_query()

the wp_blah() ones usually accept a query string with a bunch of parameters.

09/07/06 16:46:08 changed by mdawaffe

I like the_search_query(), but search_query() is a much better band name.

09/07/06 17:37:29 changed by ryan

  • status changed from assigned to closed.
  • resolution set to fixed.

(In [4171]) the_search_query() from mdawaffe. fixes #914

01/22/07 18:55:50 changed by thenlich

  • status changed from closed to reopened.
  • version changed from 1.5 to 2.0.7.
  • resolution deleted.

Found the same problem in 2.0.7 ' (single quote) becomes \\\\\\\' with magic_quotes_gpc on (7 backslashes, then single quote), or \\\' (magic_quotes_gpc=off) (3 backslashes, quote)

01/22/07 19:55:19 changed by ryan

With one of the default themes? If you're having problems with a third party theme, that theme needs to be changed.

01/22/07 20:47:13 changed by thenlich

Yes, with theme: WordPress Default 1.6

01/24/07 03:51:04 changed by foolswisdom

  • milestone changed from 2.1 to 2.1.1.

01/24/07 06:34:20 changed by markjaquith

  • status changed from reopened to closed.
  • resolution set to worksforme.

thenlich, please upgrade to the most recent version of the theme (the one in 2.0.7). Re-open with a URL demonstrating the issue, if it persists.

01/24/07 18:49:05 changed by foolswisdom

  • status changed from closed to reopened.
  • resolution deleted.
  • milestone changed from 2.1.1 to 2.1.

Changing back to previous fixed state.

01/24/07 18:49:09 changed by foolswisdom

  • status changed from reopened to closed.
  • resolution set to fixed.