Apostrophe in saved text input

Apostrophe in saved text input

raisoncoraisonco Posts: 14Questions: 5Answers: 0

Using Editor Datatables if I enter:

Testing Apostrophe's out

It is saved as

Testing Apostrophe\'s out

I saw some forum posts about Magic Quotes, but I'm using PHP 7.14 so that should rule that feature out.

Any ideas about this appreicated.

Thanks

Answers

  • colincolin Posts: 3,991Questions: 0Answers: 709

    Hi @raisonco ,

    Could you take a look at this thread, please, there's a few suggestions and links which may be useful. If not, reply back,

    Cheers,

    Colin

  • raisoncoraisonco Posts: 14Questions: 5Answers: 0

    Thanks for the link.

    Don't think magic quotes as the other thread suspects. I am using PHP 7.x and also if I var_dump(get_magic_quotes_gpc()) i get false.

    Any other ideas?

    Cheers

  • allanallan Posts: 49,068Questions: 1Answers: 7,175 Site admin

    Agreed - PHP 7 removes magic quotes.

    What do you get is you add print_r( $_POST ); before the Editor PHP initialisation for when you perform an edit? It will be invalid JSON, but what does the return show?

    Thanks,
    Allan

  • raisoncoraisonco Posts: 14Questions: 5Answers: 0

    Data outputted below -- you can see the offending apostrophe's for the item_description field.... Any help appreciated - ta

    Array ( [day_id] => 29 ) {"data":[{"DT_RowId":"row_100","mtp_event_schedule_items":{"item_id":"100","item_datetime_start":"10:00:00","item_datetime_end":"11:00:00","item_speaker_id":"59","item_track_id":"65","item_track_title":"Test1","item_description":"Description","item_track_merged":"","item_component_type":"sessions","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}},{"DT_RowId":"row_101","mtp_event_schedule_items":{"item_id":"101","item_datetime_start":"11:30:00","item_datetime_end":"12:30:00","item_speaker_id":"59","item_track_id":"65","item_track_title":"Test2","item_description":"Description","item_track_merged":"Merged","item_component_type":"keynote","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}},{"DT_RowId":"row_102","mtp_event_schedule_items":{"item_id":"102","item_datetime_start":"14:00:00","item_datetime_end":"15:30:00","item_speaker_id":"","item_track_id":"65","item_track_title":"Test3","item_description":"Session\\'s apostrophe","item_track_merged":"","item_component_type":"sessions","item_link":""},"mtp_event_schedule_day_meta":{"meta_value":"Track One"},"mtp_event_schedule_items_meta":{"day_id":"29"}}],"options":{"mtp_event_schedule_items.item_speaker_id":[{"label":"1","value":"1"},{"label":"61","value":"61"},{"label":"62","value":"62"},{"label":"63","value":"63"}],"mtp_event_schedule_items.item_track_id":[{"label":"Track One","value":"65"}]},"files":[],"debug":[{"query":"SELECT `mtp_event_schedule_items`.`item_id` as 'mtp_event_schedule_items.item_id', `mtp_event_schedule_items`.`item_datetime_start` as 'mtp_event_schedule_items.item_datetime_start', `mtp_event_schedule_items`.`item_datetime_end` as 'mtp_event_schedule_items.item_datetime_end', `mtp_event_schedule_items`.`item_speaker_id` as 'mtp_event_schedule_items.item_speaker_id', `mtp_event_schedule_items`.`item_track_id` as 'mtp_event_schedule_items.item_track_id', `mtp_event_schedule_day_meta`.`meta_value` as 'mtp_event_schedule_day_meta.meta_value', `mtp_event_schedule_items`.`item_track_title` as 'mtp_event_schedule_items.item_track_title', `mtp_event_schedule_items`.`item_description` as 'mtp_event_schedule_items.item_description', `mtp_event_schedule_items`.`item_track_merged` as 'mtp_event_schedule_items.item_track_merged', `mtp_event_schedule_items`.`item_component_type` as 'mtp_event_schedule_items.item_component_type', `mtp_event_schedule_items`.`item_link` as 'mtp_event_schedule_items.item_link', `mtp_event_schedule_items_meta`.`day_id` as 'mtp_event_schedule_items_meta.day_id' FROM `mtp_event_schedule_items` LEFT JOIN `mtp_event_schedule_items_meta` ON `mtp_event_schedule_items`.`item_id` = `mtp_event_schedule_items_meta`.`item_id` LEFT JOIN `mtp_event_schedule_day_meta` ON `mtp_event_schedule_items`.`item_track_id` = `mtp_event_schedule_day_meta`.`id` LEFT JOIN `mtp_event_schedule_speakers` ON `mtp_event_schedule_speakers`.`speaker_id` = mtp_event_schedule_day_meta.meta_value AND mtp_event_schedule_day_meta.meta_key = \"speaker_id\" WHERE `mtp_event_schedule_items_meta`.`day_id` = :where_0 ","bindings":[{"name":":  where_0","value":"29","type":null}]},{"query":"SELECT DISTINCT `meta_value` as 'meta_value', `meta_value` as 'meta_value' FROM `mtp_event_schedule_day_meta` WHERE (`mtp_event_schedule_day_meta`.`day_id` = :where_1 AND `mtp_event_schedule_day_meta`.`meta_key` = :where_2 )","bindings":[{"name":":where_1","value":"29","type":null},{"name":":where_2","value":"speaker_id","type":null}]},{"query":"SELECT DISTINCT `id` as 'id', `meta_value` as 'meta_value' FROM `mtp_event_schedule_day_meta` WHERE (`mtp_event_schedule_day_meta`.`day_id` = :where_1 AND `mtp_event_schedule_day_meta`.`meta_key` = :where_2 )","bindings":[{"name":":where_1","value":"29","type":null},{"name":":where_2","value":"track","type":null}]}]}
    
    
  • allanallan Posts: 49,068Questions: 1Answers: 7,175 Site admin

    Good - thanks! That means that its not the Editor libraries that is adding them. The next thing to check is what is being sent from the client-side. You can do that in the "headers" section of the Ajax request in the Network inspector of your browser for the edit action.

    I'm very much thinking that there is something in the PHP or HTTP server that is injecting those apostrophes for some reason. Can you show me the output of phpinfo();?

    Thanks,
    Allan

  • raisoncoraisonco Posts: 14Questions: 5Answers: 0

    Thanks for the help Allan

    I can see from the console params form data:

    data[row_63][mtp_event_schedule_speakers][speaker_bio_large]: Apostrophe's+Test's

    and then under response:

    speaker_bio_large: Apostrophe\'s Test\'s

    Request header:
    Host: mind.local
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:63.0) Gecko/20100101 Firefox/63.0
    Accept: application/json, text/javascript, /; q=0.01
    Accept-Language: en-GB,en;q=0.5
    Accept-Encoding: gzip, deflate, br
    Referer: https://mind.local/members/?mvc_app_route=schedule/edit_conf_day&conf_id=1&conf_day_id=29
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 412
    DNT: 1
    Connection: keep-alive
    Cookie: _ga=GA1.2.1847410312.1541761374; XDEBUG_SESSION=XDEBUG_ECLIPSE; PHPSESSID=d38b3ae64b715de312da77b0c0c1ea5f; _gid=GA1.2.914210462.1544439452; _hjIncludedInSample=1; wordpress_test_cookie=WP+Cookie+check; wp-settings-228=libraryContent%3Dbrowse%26editor%3Dtinymce%26imgsize%3Dbloglarge; wp-settings-time-228=1544536486; modalNewsletterSignup=false; wordpress_logged_in_ab48360bb2ab035b756a23440125aae0=elliot%7C1544888407%7Ci5qm48dMOvM6XeF0qpJFPY8bufedoc4yfwOodBuCrEG%7C45a4db6ad2983de23c2e19b06c0146d6565f878269d78fee9424a4155a06a821; _fbp=fb.1.1544780110012.302249802
    TE: Trailers

    Response Headers:
    HTTP/2.0 200 OK
    server: nginx/1.13.12
    date: Fri, 14 Dec 2018 11:31:27 GMT
    content-type: text/html; charset=UTF-8
    content-length: 496
    x-powered-by: PHP/7.1.4
    pragma: no-cache
    expires: Wed, 11 Jan 1984 05:00:00 GMT
    cache-control: no-cache, must-revalidate, max-age=0
    vary: Accept-Encoding
    content-encoding: gzip
    X-Firefox-Spdy: h2

    Also here is the stack trace, which I thought was interesting as perhaps the Ajax at the start is adding the escaping/slashes:

    send
    

    https://mind.local/wp-includes/js/jquery/jquery.js:4:26575
    ajax
    https://mind.local/wp-includes/js/jquery/jquery.js:4:22178
    h.prototype._ajax
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:77:400
    h.prototype._submit
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:94:368
    l/<
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:63:113
    h.prototype._event
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:84:49
    l
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:63:35
    h.prototype.submit
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:63:257
    action
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:119:491
    h.prototype.buttons/</<
    https://mind.local/wp-content/mvc_app/libraries/DataTablesEditor/js/dataTables.editor.min.js:47:95
    dispatch
    https://mind.local/wp-includes/js/jquery/jquery.js:3:12392
    add/r.handle
    https://mind.local/wp-includes/js/jquery/jquery.js:3:9156

    My php info is long so have saved in this file:
    https://www.dropbox.com/s/j5dbm4nbbk9xk0e/phpinfo.txt?dl=0

    Thanks again!

  • raisoncoraisonco Posts: 14Questions: 5Answers: 0

    Just to clarify I wanted to remove the slashes and not the apostrophes.

    In the end I can get around this by adding:

    ->getFormatter( function ( $val, $data, $opts ) { return stripslashes_deep($val);} ),

    which uses the WordPress function stripslashes_deep() (because I'm building in WP).

    So it looks like I need to add this for each and every string field. Blimey, that's a rather inelegant solution! There must be a better way and I can't be the first to want to unescape the strings from the db...

    Ideas welcome!

    Cheers

  • allanallan Posts: 49,068Questions: 1Answers: 7,175 Site admin

    Hi,

    Thanks for the extra details. So we have, on submit:

    data[row_63][mtp_event_schedule_speakers][speaker_bio_large]: Apostrophe's+Test's

    And for print_r($_POST):

    [...] "item_description":"Session\'s apostrophe", [...]

    That suggests to me that something in the pre-processing is adding the slashes at the server-side. I don't believe that it would be Editor since you haven't hit any Editor specific code on the server at the point of the print_r.

    It looks like WordPress might be calling a wp_magic_quotes function that is the cause of this. See this SO thread, particularly the second answer and it includes a workaround in WordPress.

    Allan

  • raisoncoraisonco Posts: 14Questions: 5Answers: 0

    Hi Allan

    Thanks for your help here.

    Isn't Editor going to escape the string with an apostrophe so it is saved safely in the database.

    Don't we always want that when dealing with a MySQL db table? For instance

    Elliot's test => Elliot\'s test

    Then I would expect that Editor would then unescape the apostrophe on output.

    Sorry to take it back to basics, but I don't think this is WP or wp_magic_quotes as I'm working on code that is isolated from the WP codebase.

    Appreciate the help!

    E

  • allanallan Posts: 49,068Questions: 1Answers: 7,175 Site admin

    Isn't Editor going to escape the string with an apostrophe so it is saved safely in the database.

    No. It uses bound parameters. For example, the query string constructed might be:

    INSERT INTO test (col1, col2)
    VALUES (:val1, :val2)
    

    Then we bind the real values to :val1 and :val2 - see the PHP docs.

    That method is far more secure that just adding apostrophes since it allows the database to do any escaping required, and it always will, regardless of if the dev using it forgets to escape or not. That is why magic quotes have been removed from PHP - they were a mess and should never have been used.

    If you are interested this is where Editor does its value binding.

    Allan

Sign In or Register to comment.