Apostrophe in saved text input

raisonco · December 2018

Using Editor Datatables if I enter:

Testing Apostrophe's out

It is saved as

Testing Apostrophe\'s out

I saw some forum posts about Magic Quotes, but I'm using PHP 7.14 so that should rule that feature out.

Any ideas about this appreicated.

Thanks

colin · December 2018

Hi @raisonco ,

Could you take a look at this thread, please, there's a few suggestions and links which may be useful. If not, reply back,

Cheers,

Colin

raisonco · December 2018

Thanks for the link.

Don't think magic quotes as the other thread suspects. I am using PHP 7.x and also if I var_dump(get_magic_quotes_gpc()) i get false.

Any other ideas?

Cheers

allan · December 2018

Agreed - PHP 7 removes magic quotes.

What do you get is you add print_r( $_POST ); before the Editor PHP initialisation for when you perform an edit? It will be invalid JSON, but what does the return show?

Thanks,
Allan

raisonco · December 2018

Data outputted below -- you can see the offending apostrophe's for the item_description field.... Any help appreciated - ta

Array ( [day_id] => 29 ) {"data":[{"DT_RowId":"row_100","mtp_event_schedule_items":{"item_id":"100","item_datetime_start":"10:00:00","item_datetime_end":"11:00:00","item_speaker_id":"59","item_track_id":"65","item_track_title":"Test1","item_description":"Description","item_track_merged":"","item_component_type":"sessions","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}},{"DT_RowId":"row_101","mtp_event_schedule_items":{"item_id":"101","item_datetime_start":"11:30:00","item_datetime_end":"12:30:00","item_speaker_id":"59","item_track_id":"65","item_track_title":"Test2","item_description":"Description","item_track_merged":"Merged","item_component_type":"keynote","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}},{"DT_RowId":"row_102","mtp_event_schedule_items":{"item_id":"102","item_datetime_start":"14:00:00","item_datetime_end":"15:30:00","item_speaker_id":"","item_track_id":"65","item_track_title":"Test3","item_description":"Session\\'s apostrophe","item_track_merged":"","item_component_type":"sessions","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}}],"options":{"mtp_event_schedule_items.item_speaker_id":[{"label":"1","value":"1"},{"label":"61","value":"61"},{"label":"62","value":"62"},{"label":"63","value":"63"}],"mtp_event_schedule_items.item_track_id":[{"label":"Track One","value":"65"}]},"files":[],"debug":[{"query":"SELECT `mtp_event_schedule_items`.`item_id` as 'mtp_event_schedule_items.item_id', `mtp_event_schedule_items`.`item_datetime_start` as 'mtp_event_schedule_items.item_datetime_start', `mtp_event_schedule_items`.`item_datetime_end` as 'mtp_event_schedule_items.item_datetime_end', `mtp_event_schedule_items`.`item_speaker_id` as 'mtp_event_schedule_items.item_speaker_id', `mtp_event_schedule_items`.`item_track_id` as 'mtp_event_schedule_items.item_track_id', `mtp_event_schedule_day_meta`.`meta_value` as 'mtp_event_schedule_day_meta.meta_value', `mtp_event_schedule_items`.`item_track_title` as 'mtp_event_schedule_items.item_track_title', `mtp_event_schedule_items`.`item_description` as 'mtp_event_schedule_items.item_description', `mtp_event_schedule_items`.`item_track_merged` as 'mtp_event_schedule_items.item_track_merged', `mtp_event_schedule_items`.`item_component_type` as 'mtp_event_schedule_items.item_component_type', `mtp_event_schedule_items`.`item_link` as 'mtp_event_schedule_items.item_link', `mtp_event_schedule_items_meta`.`day_id` as 'mtp_event_schedule_items_meta.day_id' FROM `mtp_event_schedule_items` LEFT JOIN `mtp_event_schedule_items_meta` ON `mtp_event_schedule_items`.`item_id` = `mtp_event_schedule_items_meta`.`item_id` LEFT JOIN `mtp_event_schedule_day_meta` ON `mtp_event_schedule_items`.`item_track_id` = `mtp_event_schedule_day_meta`.`id` LEFT JOIN `mtp_event_schedule_speakers` ON `mtp_event_schedule_speakers`.`speaker_id` = mtp_event_schedule_day_meta.meta_value AND mtp_event_schedule_day_meta.meta_key = \"speaker_id\" WHERE `mtp_event_schedule_items_meta`.`day_id` = :where_0 ","bindings":[{"name":":  where_0","value":"29","type":null}]},{"query":"SELECT DISTINCT `meta_value` as 'meta_value', `meta_value` as 'meta_value' FROM `mtp_event_schedule_day_meta` WHERE (`mtp_event_schedule_day_meta`.`day_id` = :where_1 AND `mtp_event_schedule_day_meta`.`meta_key` = :where_2 )","bindings":[{"name":":where_1","value":"29","type":null},{"name":":where_2","value":"speaker_id","type":null}]},{"query":"SELECT DISTINCT `id` as 'id', `meta_value` as 'meta_value' FROM `mtp_event_schedule_day_meta` WHERE (`mtp_event_schedule_day_meta`.`day_id` = :where_1 AND `mtp_event_schedule_day_meta`.`meta_key` = :where_2 )","bindings":[{"name":":where_1","value":"29","type":null},{"name":":where_2","value":"track","type":null}]}]}

allan · December 2018

Good - thanks! That means that its not the Editor libraries that is adding them. The next thing to check is what is being sent from the client-side. You can do that in the "headers" section of the Ajax request in the Network inspector of your browser for the edit action.

I'm very much thinking that there is something in the PHP or HTTP server that is injecting those apostrophes for some reason. Can you show me the output of phpinfo();?

Thanks,
Allan

raisonco · December 2018

Thanks for the help Allan

I can see from the console params form data:

data[row_63][mtp_event_schedule_speakers][speaker_bio_large]: Apostrophe's+Test's

and then under response:

speaker_bio_large: Apostrophe\'s Test\'s

Request header:
Host: mind.local
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: application/json, text/javascript, /; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://mind.local/members/?mvc_app_route=schedule/edit_conf_day&conf_id=1&conf_day_id=29
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 412
DNT: 1
Connection: keep-alive
Cookie: _ga=GA1.2.1847410312.1541761374; XDEBUG_SESSION=XDEBUG_ECLIPSE; PHPSESSID=d38b3ae64b715de312da77b0c0c1ea5f; _gid=GA1.2.914210462.1544439452; _hjIncludedInSample=1; wordpress_test_cookie=WP+Cookie+check; wp-settings-228=libraryContent%3Dbrowse%26editor%3Dtinymce%26imgsize%3Dbloglarge; wp-settings-time-228=1544536486; modalNewsletterSignup=false; wordpress_logged_in_ab48360bb2ab035b756a23440125aae0=elliot%7C1544888407%7Ci5qm48dMOvM6XeF0qpJFPY8bufedoc4yfwOodBuCrEG%7C45a4db6ad2983de23c2e19b06c0146d6565f878269d78fee9424a4155a06a821; _fbp=fb.1.1544780110012.302249802
TE: Trailers

Response Headers:
HTTP/2.0 200 OK
server: nginx/1.13.12
date: Fri, 14 Dec 2018 11:31:27 GMT
content-type: text/html; charset=UTF-8
content-length: 496
x-powered-by: PHP/7.1.4
pragma: no-cache
expires: Wed, 11 Jan 1984 05:00:00 GMT
cache-control: no-cache, must-revalidate, max-age=0
vary: Accept-Encoding
content-encoding: gzip
X-Firefox-Spdy: h2

Also here is the stack trace, which I thought was interesting as perhaps the Ajax at the start is adding the escaping/slashes:

send

My php info is long so have saved in this file:
https://www.dropbox.com/s/j5dbm4nbbk9xk0e/phpinfo.txt?dl=0

Thanks again!

raisonco · December 2018

Just to clarify I wanted to remove the slashes and not the apostrophes.

In the end I can get around this by adding:

->getFormatter( function ( $val, $data, $opts ) { return stripslashes_deep($val);} ),

which uses the WordPress function stripslashes_deep() (because I'm building in WP).

So it looks like I need to add this for each and every string field. Blimey, that's a rather inelegant solution! There must be a better way and I can't be the first to want to unescape the strings from the db...

Ideas welcome!

Cheers

allan · December 2018

Hi,

Thanks for the extra details. So we have, on submit:

data[row_63][mtp_event_schedule_speakers][speaker_bio_large]: Apostrophe's+Test's

And for print_r($_POST):

[...] "item_description":"Session\'s apostrophe", [...]

That suggests to me that something in the pre-processing is adding the slashes at the server-side. I don't believe that it would be Editor since you haven't hit any Editor specific code on the server at the point of the print_r.

It looks like WordPress might be calling a wp_magic_quotes function that is the cause of this. See this SO thread, particularly the second answer and it includes a workaround in WordPress.

Allan

raisonco · December 2018

Hi Allan

Thanks for your help here.

Isn't Editor going to escape the string with an apostrophe so it is saved safely in the database.

Don't we always want that when dealing with a MySQL db table? For instance

Elliot's test => Elliot\'s test

Then I would expect that Editor would then unescape the apostrophe on output.

Sorry to take it back to basics, but I don't think this is WP or wp_magic_quotes as I'm working on code that is isolated from the WP codebase.

Appreciate the help!

E

allan · December 2018

Isn't Editor going to escape the string with an apostrophe so it is saved safely in the database.

No. It uses bound parameters. For example, the query string constructed might be:

INSERT INTO test (col1, col2)
VALUES (:val1, :val2)

Then we bind the real values to :val1 and :val2 - see the PHP docs.

That method is far more secure that just adding apostrophes since it allows the database to do any escaping required, and it always will, regardless of if the dev using it forgets to escape or not. That is why magic quotes have been removed from PHP - they were a mess and should never have been used.

If you are interested this is where Editor does its value binding.

Allan

Apostrophe in saved text input

Apostrophe in saved text input

Answers

Howdy, Stranger!

Categories

DataTables

Apostrophe in saved text input

Apostrophe in saved text input

Answers

Howdy, Stranger!

Quick Links

Categories

DataTables