HomeAboutContactPrivacy PolicySitesResourcesMore Free Stuff
Chip's Tips for Developers

Contains coding, but not narcotic.

Magic quotes correction for Jerome’s Keywords WordPress plugin

August 4th, 2006 9:42:58 am pst by Sterling Camden

Mike Koepke reported a problem he was having with the Jerome’s Keywords plugin when he searched on a tag that contained a single quote:

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 's Creek' OR jkeywords_meta.meta_value LIKE 'Wilson's Creek,%' OR jkeywords_meta.' at line 1] SELECT DISTINCT * FROM wp_posts LEFT JOIN wp_postmeta AS jkeywords_meta ON (wp_posts.ID = jkeywords_meta.post_id) WHERE 1=1 AND post_date_gmt

I was unable to reproduce the behavior on my version, but it appears from the error message that the quote is not getting “quoted“. So, I added the following line to the “keywords_postsWhere” function in jeromes-keywords.php:

$keyword = str_replace("'", "''", $keyword);

Using the simple quote-doubling escape route. This solved the problem for Mike, but it didn’t work with my version, and from the resulting error message I could see that in my version the quote was already being escaped via a backslash (\). Modifying my fix to use backslash quoting didn’t work for me, either, because then the backslash gets backslashed.

Comparing versions, I was using MySQL 3.23.54 with PHP 4.4.1. Mike is on MySQL 4.1.14 and PHP 5.0.4. Then Mike tried this out on a local server with MySQL 5.0.22 and PHP 5.14, and got the same results as I did. So we both concluded that something got broken in MySQL or PHP between my early version and Mike’s live version, but has since been fixed again. Or was there some option that needed enabling on Mike’s live server? My Google searches for an explanation of this phenomenon were fruitless.

Clusty to the rescue. Clusty lead me to this post. It turns out that PHP has a runtime option, magic_quotes_gpc, that is enabled by default. This option automagically escapes quotes, backslashes, and nulls in a GET, POST, or cookie with a backslash. Bingo.

As with most (all?) PHP options, you can query the setting of magic_quotes_gpc at runtime via (20 guesses?) get_magic_quotes_gpc(), natch. So I changed my fix as follows:

if (!get_magic_quotes_gpc()) {
$keyword = addslashes($keyword);
}

You can download the corrected version below. If Jerome would like to adopt this fix in his master version, I’ll take down my copy and point to him instead. Johannes, you might want to implement a similar test in your Jerome’s Keywords Manager plugin. Sorry to give you one more place to go after your “final destination”.

UPDATE: Jerome has released a 2.0 beta version of the plugin that appears to address this issue. Mike Koepke, can you verify? If you’re using my tag cloud widget, you’ll need version 2.0 of that as well.

Tags: , , , , , , , , , , , ,

Posted in PHP, SQL, Web, Wildly popular, WordPress | 7 Comments » RSS 2.0 | Sphere it!

7 Responses to “Magic quotes correction for Jerome’s Keywords WordPress plugin”

  1. That quote escapes me -- Chip’s Quips says:
    August 4, 2006 at 10:00 am

    [...] Hey fellow tag cloud inhabitants! I just posted another correction to the Jerome’s Keywords plugin over on Chip’s Tips. [...]

    Reply
  2. Tag cloud sidebar widget for WordPress -- Chip’s Tips for Developers says:
    August 4, 2006 at 10:04 am

    [...] Recent Comments That quote escapes me — Chip’s Quips on Magic quotes correction for Jerome’s Keywords WordPress pluginMagic quotes correction for Jerome’s Keywords WordPress plugin — Chip’s Tips for Developers on Correction for Jerome’s Keywords plugin for WordPressSterling Camden on Correction for Jerome’s Keywords plugin for WordPressMike on Correction for Jerome’s Keywords plugin for WordPressMike on Correction for Jerome’s Keywords plugin for WordPress Post Stats [...]

    Reply
  3. jerome says:
    August 5, 2006 at 7:01 am

    Strange… WordPress used to do this automatically for all GET/POST/COOKIE variables. Time to dust off my copy and have a look!

    Reply
  4. Sterling Camden says:
    August 5, 2006 at 11:24 am

    Jerome, thanks for responding. PHP does this automatically if you have the magic_quotes_gpc option on, and it is on by default. But since it is possible for administrators to turn the option off, it’s nice to have your code handle that case.

    Again, let me know if you put my corrections or some equivalent into your version, and I’ll take mine down and point to you. I’d rather not introduce a schism in the Tagolic Church.

    Reply
  5. Jeroaming versions -- Chip’s Quips says:
    August 5, 2006 at 12:42 pm

    [...] That makes at least three people besides Jerome who have contributed to the functionality of this plugin, resulting in three different versions of the plugin itself, an add-on plugin, and a widget. What do you say, Jerome, can we get all these pieces packaged together before they get further split apart? Can we set up some sort of collaborative development project to help you to keep up? [...]

    Reply
  6. Mike says:
    August 21, 2006 at 4:13 am

    Chip,

    Not sure if you saw this or not, but the beta of Jerome’s Keywords 2.0 is out. http://vapourtrails.ca/2006-08/keywords-20-beta

    Also, your 2.1 version still has an issue with ‘s. Now if I enter a keyword in my post with an apostrophe (Chip’s for example), I get a WordPress DB SQL error.

    Mike

    Reply
  7. Sterling Camden says:
    August 21, 2006 at 8:11 am

    That’s odd — does this only happen when magic_quotes_gpc is disabled?

    Reply

Leave a Reply

Theme © 2006, Ported by Kaushal Sheth | Designed by NOW-Design | Modified by Sterling Camden
Header graphic designed by Kiltak of [Geeks Are Sexy]
Open Word License (OWL) All content on this site, including downloadable files, may be reproduced or distributed under the terms of the Open Works License (OWL) (view license)
Better Tag Cloud