3

I am using $wpdb and the following is part of the codes that calls $wpdb->update.

This code works well if it's normal [email protected], but when if users were to use the + sign in their username, e.g. [email protected], wpdb doesn't read the + sign

Below variables are from $_GET but i'm putting in values for readability.

$open_email = '[email protected]';
$open_key = '2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5';
$open_time = time();

if (strlen($open_key) == 40) {
    $status_update = $wpdb->update('status', 
            array(
                'invite_status' => 'opened',
                'open_time' => $open_time
                ),
            array(
                'invite_email' => $open_email,
                'invite_token' => $open_key
                ),
            array(
                '%s',
                '%d'
                ),
            array(
                '%s',
                '%s'
                )
                );
}

var dump of $wpdb->last_query and $wpdb->last_error returns the followings.

string(235) "UPDATE status SET invite_status = 'opened', open_time = 1461103507 WHERE invite_email = 'something [email protected]' AND rating_invite_token = '2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5'"

I notice above part in error, highlighted in bold, that my plus (+) sign is gone and it left a space, causing the above statement not to update.

May I know am I missing out anything?

Update: I am asking because some users of gmails does use the + sign to categorise their emails, as [email protected] still goes back to [email protected]

If there's any sanitisation which I am supposed to do, but i miss out, please guide me as well. I presume all $_GET data should have been sanitised.

Improve this question

1 Answer 1

Reset to default
3

It isn't wpdb or MySQL that's removing the plus.

Under the hood, when you call update like that, WordPress is passing the data through mysqli_real_escape_string() and nothing else.

Since you mentioned the data is coming from the query string $_GET, most likely the + is being removed before the query because it us being unescaped and the + is being translated into a space.

You can check this with:

$open_email = $_GET['email'];
var_dump($open_email);

and see what the result is.

To get the plus back, it should be safe to do the following after all sanitzation and unescaping:

$open_email = str_replace(' ', '+', $open_email);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Oh yes, you are spot on! May I assume this is a common problem and str_replace(' ', '+',$open_email); is a common step to do after a GET with email string?
Yes and no, if you really want the + to be a plus, the URL should be hex encoded properly from the source, e.g. http://example.com?email=something%2bADDITION%40gmail.com&open_key=xxx A + in a URL is special encoding for a space, if you want to actually represent a +, hex encode it as %2b

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.