Best Option for Escaping Double Quotes
 

I've created a text area in vBulletin Options for the re-release of the AME (Auto Media Embedding) modification. In this field, admins will be able to add lines of code to their SHOWTHREAD template's <body> or <head> tags. I did this for support of media embedding that requires only one instantiation per page of a code type (e.g. JavaScript code for Pinterest widgets) and to save people the need for template edits.

Everything works as expected, but I'm unsure on one thing. Since code is placed into this vB Options field, double quotes need to be escaped. I'm trying to make this as pain free for admins as possible, so I used addslashes() to automatically escape the code.

I figure I don't actually need to put automediaembed_extras_body in it's own variable, but I did so for neatness sake, as I hadn't actually settled on where to put the output when I started the plugin.

What I'd like to know is if addslashes() is the best escape option here. Is it vulnerable to SQL injections, like I've been reading, in this context? I also had success with mysql_real_escape_string(), but will that fail to escape some special characters that need to be escaped?

Edit: Sorry, my previous answer would be for vb4. You're right of course, a vb3 template is in a double quoted string so I think you'd want to escape double quotes, and also escape the dollar sign if you don't want them to be able to insert variables. Also, if you don't escape backslashes they will be able to insert characters using sequences like \n for newline, and if they want a literal backslash they'd need to use \\. I'm guessing that's not what you'd want for inserting html but you might want it for javascript, so I think you just have to make a choice of whether or not to escape backslashes.

You can use addcslashes() to list the characters you want to escape, so I think you'd want either $replace = addcslashes($optioncode, '"$\\'); or $replace = addcslashes($optioncode, '"$");

Escaping double quotes avoids a problem where they could insert arbitrary php code, but I don't see any risk with SQL injections because you're not using the text in a query.

ETA: Now that I think about it more I think you *would* want to include backslash in the escaped characters, because even if you want to use a \n (for example) in a javascript string, you'd want to include a literal backslash and not have php interpret the \n.

Thanks! I had not heard of addcslashes(). That seems more apropos in this case. Yeah, if the double quotes aren't escaped it will turn up the dreaded unexpected T_STRING error.

Also yes, I think this would be primarily used for JavaScript blocks, and possibly CSS in rare cases. So '"$\'" makes sense. Is there any instance where I'd want to prevent the insertion of newline?

Not that I can think of, it's just a matter of what would be more convenient. But like I added above, I can't think of any reason that you'd want to allow a newline character to be inserted, so I think it might be better to escape backslashes so that it's easier to use the backslash character in javascript.

BTW, someone asked about this in the past so I've thought about it, but I don't have experience with it so this is all kind of theoretical.

I'll test run some scenarios and see if I can think of any issues that will come up. Thanks again.

For whatever reason, and I can't tell you why (though probably forgetfulness) I went with mysql_escap_string() and, naturally, ran into errors with users running, I'm assuming, vB 3 on PHP 5.5. mysql_escape_string() is deprecated at this point.

I'm switching to addcslashes($LikeIWasToldToo) and ran into discussions on PDO::quote(). While people are saying it's not a replacement for mysql_escape_string(), the manual is saying you should use it instead. I'm wondering if it's applicable or beneficial here.


In any event, this is what I'm going with:
I take it, I shouldn't run into PHP version issues with this?