phpwordpresscode-snippetsmagic-quotes

add_magic_quotes() is not working in wordpress

Here is the code that's run by the plugin. It passes the CSV file data to MySQL.:

      $new_post = array(
        'post_title'    => $row['Account Name'],
        'post_content'  => $row['Yellow Page Business Description'],
        'post_status'   => 'publish',
        'post_author'   => 1,
        'post_type'     => 'business',
        'post_category' => array(0)
      );


      try
      {
        $result = wp_insert_post(add_magic_quotes($new_post), true);

        if (is_wp_error($result)) {
          $output .= '<p style="color:red;">ERROR LOADING CSV FILE</p>';
          $output .= "<p style='color:red;'>Failed to import {$new_post['post_title']}</p>";
          $output .= '<pre>'.$result->get_error_message().'</pre>';
        }
        else
        {
          $post_id = $result;

To which, MySQL reports:

[error] WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))) AND (cj_posts.post_password = '') AND cj_posts.post_type = 'business' AND ' at line 1 for query SELECT DISTINCT SQL_CALC_FOUND_ROWS cj_posts.* FROM cj_posts LEFT JOIN cj_term_relationships AS trel ON (cj_posts.ID = trel.object_id) LEFT JOIN cj_term_taxonomy AS ttax ON ( ( ttax.taxonomy = 'category' ) AND trel.term_taxonomy_id = ttax.term_taxonomy_id) LEFT JOIN cj_terms AS tter ON (ttax.term_id = tter.term_id) LEFT JOIN cj_comments AS cmt ON ( cmt.comment_post_ID = cj_posts.ID ) WHERE 1=1 AND ( ( ((())) AND (cj_posts.post_password = '') AND cj_posts.post_type = 'business' AND (cj_posts.post_status = 'publish')) AND post_type != 'revision') AND post_status != 'future' ORDER BY cj_posts.post_title LIKE '% %' DESC, cj_posts.post_date DESC LIMIT 0, 10 made by require('wp-blog-header.php'), wp, WP->main, WP->query_posts, WP_Query->query, WP_Query->get_posts

cj_ is the WordPress prefix.

I think it's the use of magic_quotes not working, so it's passing characters from the CSV data to MySQL that are not escaped properly. But I'm not 100% sure and I'm not sure what to substitute to make it work.

Solution

  • You don't need to use add_magic_quotes. From the wp_insert_post documentation:

    This function inserts posts (and pages) in the database. It sanitizes variables, does some checks, fills in missing variables like date/time, etc

    Emphasis is mine.

    https://codex.wordpress.org/Function_Reference/wp_insert_post

    add_magic_quotes essentially iterates over an array and calls add_slashes on each element. This is completely unnecessary as wp_insert_post will sanitize any input it is given. Whatever problem you expect add_magic_quotes to solve, it doesn't.