Thread: Best Option for Escaping Double Quotes
View Single Post
  #1  
Old 10-05-2013, 05:50 AM
Digital Jedi's Avatar
Digital Jedi Digital Jedi is offline
 
Join Date: Oct 2006
Location: PopCulturalReferenceLand
Posts: 5,171
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default Best Option for Escaping Double Quotes
I've created a text area in vBulletin Options for the re-release of the AME (Auto Media Embedding) modification. In this field, admins will be able to add lines of code to their SHOWTHREAD template's <body> or <head> tags. I did this for support of media embedding that requires only one instantiation per page of a code type (e.g. JavaScript code for Pinterest widgets) and to save people the need for template edits.

Everything works as expected, but I'm unsure on one thing. Since code is placed into this vB Options field, double quotes need to be escaped. I'm trying to make this as pain free for admins as possible, so I used addslashes() to automatically escape the code.

PHP Code:
$find '</body>';
$optioncode $vbulletin->options['automediaembed_extras_body'];
$replace addslashes($optioncode);
$vbulletin->templatecache['SHOWTHREAD'] = str_replace($find$replace $find$vbulletin->templatecache['SHOWTHREAD']); 
I figure I don't actually need to put automediaembed_extras_body in it's own variable, but I did so for neatness sake, as I hadn't actually settled on where to put the output when I started the plugin.

What I'd like to know is if addslashes() is the best escape option here. Is it vulnerable to SQL injections, like I've been reading, in this context? I also had success with mysql_real_escape_string(), but will that fail to escape some special characters that need to be escaped?
Reply With Quote
 
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01174 seconds
  • Memory Usage 1,768KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD_SHOWPOST
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_php
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_box
  • (1)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit_info
  • (1)postbit
  • (1)postbit_onlinestatus
  • (1)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open 
Phrase Groups Available:
  • global
  • postbit
  • reputationlevel
  • showthread
Included Files:
  • ./showpost.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 
Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_postinfo_query
  • fetch_postinfo
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showpost_start
  • bbcode_fetch_tags
  • bbcode_create
  • postbit_factory
  • showpost_post
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • showpost_complete