I am using $wpdb and the following is part of the codes that calls $wpdb->update.
This code works well if it’s normal email@domain.com, but when if users were to use the + sign in their username, e.g. email+something@domain.com, wpdb doesn’t read the + sign
Below variables are from $_GET but i’m putting in values for readability.
$open_email = 'something+ADDITION@gmail.com';
$open_key = '2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5';
$open_time = time();
if (strlen($open_key) == 40) {
$status_update = $wpdb->update('status',
array(
'invite_status' => 'opened',
'open_time' => $open_time
),
array(
'invite_email' => $open_email,
'invite_token' => $open_key
),
array(
'%s',
'%d'
),
array(
'%s',
'%s'
)
);
}
var dump of $wpdb->last_query and $wpdb->last_error returns the followings.
string(235) “UPDATE status SET invite_status = ‘opened’, open_time = 1461103507 WHERE invite_email = ‘something ADDITION@gmail.com‘ AND rating_invite_token = ‘2f1e4b16a9a882bbef9b00906fc5c8f563fd70a5′”
I notice above part in error, highlighted in bold, that my plus (+) sign is gone and it left a space, causing the above statement not to update.
May I know am I missing out anything?
Update: I am asking because some users of gmails does use the + sign to categorise their emails, as username+anything@gmail.com still goes back to username@gmail.com
If there’s any sanitisation which I am supposed to do, but i miss out, please guide me as well. I presume all $_GET data should have been sanitised.
It isn’t
wpdbor MySQL that’s removing the plus.Under the hood, when you call update like that, WordPress is passing the data through
mysqli_real_escape_string()and nothing else.Since you mentioned the data is coming from the query string
$_GET, most likely the+is being removed before the query because it us being unescaped and the+is being translated into a space.You can check this with:
and see what the result is.
To get the plus back, it should be safe to do the following after all sanitzation and unescaping: