Reputation: 13588
Wordpress WPDB and Mysql strange behaviour
I am using $wpdb and the following is part of the codes that calls $wpdb->update.
This code works well if it's normal [email protected], but when if users were to use the + sign in their username, e.g. [email protected], wpdb doesn't read the + sign
Below variables are from $_GET but i'm putting in values for readability.
$open_email = '[email protected]';
$open_key = '2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5';
$open_time = time();
if (strlen($open_key) == 40) {
$status_update = $wpdb->update('status',
array(
'invite_status' => 'opened',
'open_time' => $open_time
),
array(
'invite_email' => $open_email,
'invite_token' => $open_key
),
array(
'%s',
'%d'
),
array(
'%s',
'%s'
)
);
}
var dump of $wpdb->last_query and $wpdb->last_error returns the followings.
string(235) "UPDATE status SET invite_status = 'opened', open_time = 1461103507 WHERE invite_email = 'something [email protected]' AND rating_invite_token = '2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5'"
I notice above part in error, highlighted in bold, that my plus (+) sign is gone and it left a space, causing the above statement not to update.
May I know am I missing out anything?
Update: I am asking because some users of gmails does use the + sign to categorise their emails, as [email protected] still goes back to [email protected]
If there's any sanitisation which I am supposed to do, but i miss out, please guide me as well. I presume all $_GET data should have been sanitised.
Upvotes: 3
Views: 51
Answers (1)
Reputation: 69967
It isn't wpdb or MySQL that's removing the plus.
Under the hood, when you call update like that, WordPress is passing the data through mysqli_real_escape_string() and nothing else.
Since you mentioned the data is coming from the query string $_GET, most likely the + is being removed before the query because it us being unescaped and the + is being translated into a space.
You can check this with:
$open_email = $_GET['email'];
var_dump($open_email);
and see what the result is.
To get the plus back, it should be safe to do the following after all sanitzation and unescaping:
$open_email = str_replace(' ', '+', $open_email);
Upvotes: 3
Related Questions
- How to reset AUTO_INCREMENT in MySQL
- How can I output MySQL query results in CSV format?
- How to import an SQL file using the command line in MySQL?
- How do you parse and process HTML/XML in PHP?
- MySQL error code: 1175 during UPDATE in MySQL Workbench
- How do I connect to a MySQL Database in Python?
- Should I use the datetime or timestamp data type in MySQL?
- Can I concatenate multiple MySQL rows into one field?
- Which MySQL data type to use for storing boolean values