Oof. I am having some sort of problem with my server. I was going to make a post on Monday, but something in my PHP and/or MySQL setup has changed in an odd way. (remember I reinstalled/upgraded pretty much everything on the system that is involved with serving web pages a couple of weeks ago)
If I try to post content that contains a single-quote character, I get a database error due to invalid syntax. The WordPress database driver is supposed to auto-escape the content to prevent this, but something seems to be causing that to fail. On the other hand, if I add code to escape the content just before it is saved into the table, then it winds up being double-escaped.
I’m running PHP 4.4.2, and MySQL 5.0.18. PHP reports that magic_quotes_gpc is on, and magic_quotes_runtime is off. I’ve tested on a clean install of WordPress with no plugins activated, and it exhibits the same behavior. Does anybody out there have any ideas on why this is happening?
12 Comments
Hi, something just came out today about quote problems (actually an exploit it seems) in WP 2.0:
http://myimei.com/security/2006-02-15/wordpress200autors-websitexss-attack.html#more-14
Do you know if WP 2.01 is also vulnerable ? Maybe someone exploited this hole on your blog.
I just posted my comments on that. There’s no security problem.
Do the posts go through, though? I’ve been seeing a lot of admin-side escaping errors since going to 2.x and it’s driving me batty. Highly annoying.
Are you using the enhanced html editor or the plain vanilla post editor? The former injects needless mounts of formatting crap - the later doesn’t.
Turn magic quotes off… All of them.
And try again.
Doug: Yes, it appears that the edits are still saved to the db. Wierd, huh?
Brendan: I don’t use the WYSIWYG editor. And I also remove the wp-texturize filter and code all my HTML by hand. None of which should matter (and yes, I tried without any plugins active). The WP code is supposed to automagically escape the data before doing the SQL INSERTs. I’m sure that this isn’t a fault in WP, though, or many others would be reporting the same problem. This is something messed up in my Apache/PHP/MySQL environment, I’m pretty sure.
Rudd-O: Good suggestion. But it didn’t work. I also tried turning off the MySQL query cache, but that didn’t fix it, either. The reason I tried that was that actually I was able to resave the draft once without errors, so I thought that it had worked. But then I tried to save the draft a second time, and the errors occurred again.
Aha. It turns out that this is a WordPress bug.
So, then this isn’t why the ol’ JabFoaf (Roster2FOAF) isn’t working?
I am having the same problem with the email blogging feature. Any time a post is emailed with a single apostrophe, wp-mail chokes and spits out MySQL syntax errors…
Actually, the JabFOAF stuff has been broken for a while. Every once in a blue moon, I try to figure out what’s wrong, but I haven’t been able to fix it yet. I think there’s some sort of conflict between the Jabber class I was using and something else in my site.
Stupid question: Do you have the runPHP plug-in installed to run PHP scripts from your posts? If so, do you have it turned on for that post? I ran into the exact same problem. Ended up just being that runPHP plugin.
Ben: not a stupid question at all. I use the PHP Exec plugin. And I’ve suspected that the PHP Jabber libraries just don’t want to work well with PHP Exec for some reason, but haven’t had time to track it down.
What I need to do is redo the JabFOAF pages as custom template pages.
One Trackback
[...] I originally wrote this up on Monday the 13th, but didn’t get to post it until now because I wound up tracking down a WordPress bug. [...]