php - Replacing mysql_real_escape_string in WordPress theme

admin管理员组

文章数量:1287607

I'm having an issue with mysql_real_escape_string. This is used to display a custom post type (food menu items) for the WooThemes Diner theme. Food menu items no longer display on the Diner menu page because they are being called with mysql_real_escape_string.

What is the proper way to call these items?

Theme: Diner by WooThemes version 1.9.8 (now retired from active support)

Affected file: admin-interface.php

Lines: 111 & 118

/*-----------------------------------------------------------------------------------*/
/* WooThemes Admin Interface - woothemes_add_admin */
/*-----------------------------------------------------------------------------------*/

if ( ! function_exists( 'woothemes_add_admin' ) ) {
function woothemes_add_admin() {

    global $query_string;
    global $current_user;
    $current_user_id = $current_user->user_login;
    $super_user = get_option( 'framework_woo_super_user' );

    $themename =  get_option( 'woo_themename' );
    $shortname =  get_option( 'woo_shortname' );

    // Reset the settings, sanitizing the various requests made.
    // Use a SWITCH to determine which settings to update.

    /* Make sure we're making a request.
------------------------------------------------------------*/

    if ( isset( $_REQUEST['page'] ) ) {

        // Sanitize page being requested.
        $_page = '';

        $_page = mysql_real_escape_string( strtolower( trim( strip_tags( $_REQUEST['page'] ) ) ) );

        // Sanitize action being requested.
        $_action = '';

        if ( isset( $_REQUEST['woo_save'] ) ) {

            $_action = mysql_real_escape_string( strtolower( trim( strip_tags( $_REQUEST['woo_save'] ) ) ) );

        } // End IF Statement

        // If the action is "reset", run the SWITCH.

        /* Perform settings reset.
    ------------------------------------------------------------*/

I'm having an issue with mysql_real_escape_string. This is used to display a custom post type (food menu items) for the WooThemes Diner theme. Food menu items no longer display on the Diner menu page because they are being called with mysql_real_escape_string.

What is the proper way to call these items?

Theme: Diner by WooThemes version 1.9.8 (now retired from active support)

Affected file: admin-interface.php

Lines: 111 & 118

/*-----------------------------------------------------------------------------------*/
/* WooThemes Admin Interface - woothemes_add_admin */
/*-----------------------------------------------------------------------------------*/

if ( ! function_exists( 'woothemes_add_admin' ) ) {
function woothemes_add_admin() {

    global $query_string;
    global $current_user;
    $current_user_id = $current_user->user_login;
    $super_user = get_option( 'framework_woo_super_user' );

    $themename =  get_option( 'woo_themename' );
    $shortname =  get_option( 'woo_shortname' );

    // Reset the settings, sanitizing the various requests made.
    // Use a SWITCH to determine which settings to update.

    /* Make sure we're making a request.
------------------------------------------------------------*/

    if ( isset( $_REQUEST['page'] ) ) {

        // Sanitize page being requested.
        $_page = '';

        $_page = mysql_real_escape_string( strtolower( trim( strip_tags( $_REQUEST['page'] ) ) ) );

        // Sanitize action being requested.
        $_action = '';

        if ( isset( $_REQUEST['woo_save'] ) ) {

            $_action = mysql_real_escape_string( strtolower( trim( strip_tags( $_REQUEST['woo_save'] ) ) ) );

        } // End IF Statement

        // If the action is "reset", run the SWITCH.

        /* Perform settings reset.
    ------------------------------------------------------------*/

• php
• themes

Share Improve this question asked Oct 26, 2016 at 20:30 tinymtinym 4111 gold badge11 silver badge33 bronze badges 3

• Sounds like your hosting environment recently upgraded to PHP7. mysql_real_escape_string was deprecated previously but removed in PHP7. It is possible that Woo has released an update for this theme. Recommend contacting Woo for a fix. – jdm2112 Commented Oct 26, 2016 at 20:39
• Yes, I have already contacted Woo. They did issue a theme update but will not provide the file(s) to my client. My client could not locate the original receipt (they only found bank transactions) for the theme so Woo refused to provide the updated files. – tinym Commented Oct 26, 2016 at 21:50
• downvoted as this is only part off the code which do not explain why there is escaping done at all. semms like this is just an horrible code and the escaping is just not needed., or at least not the escaping that was used – Mark Kaplun Commented Aug 24, 2017 at 3:34

Add a comment  | 

3 Answers 3

Sorted by: Reset to default 6

As mysql_real_escape_string() was deprecated in PHP 5.5.0, and it was removed in PHP 7.0.0, you can try esc_sql() to work for later WP/PHP versions.

Replace mysql_real_escape_string() with esc_sql() at line 111 & 118 in your admin-interface.php file.

Hope this should work well for you!

mysql_real_escape_string was deprecated previously and removed in PHP7. You have to use mysqli_real_escape_string. But I don't think it is possible with WordPress because you have pass the connection string also.

So alternately you can use esc_sql() instead of mysql_real_escape_string.

use this

global $wpdb;
$string = "<h1>Hello world</h1>";
$string = $wpdb->_real_escape($string);

link here : https://developer.wordpress/reference/classes/wpdb/_real_escape/

本文标签： phpReplacing mysqlrealescapestring in WordPress theme