URL Groups using Regex in Page URLs aren't being saved correctly.

I am using a regex to lock down the /members area of a site that works with subdomains, domain mapping and SSL.

^(http(?:s)?:\/\/)(.+)(\.)(\w{3,4})(\/members)((?!.*)|(\/{1})|(\b))

You can test it at: RegExr using a domain like http://sub.domain.com/members

The problem that I'm having is that when I update the Group the backslashes are removed. In order to save it as a proper regex I have to change all the backslashes to double backslashes. It appears to me that either WordPress or the plugin is stripping the slashes of the posted data.

I've been dealing with this problem ever since I started using the Membership plugin and thought it best to let you guys know so that you can either let me know what I'm doing wrong or fix it.

Here is the magic quotes section of my php.ini:

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = Off

; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = Off

; Use Sybase-style magic quotes (escape ' with '' instead of ').
magic_quotes_sybase = Off
  • Michael Bissett

    Hey @wesleyjordan, hope you're doing well today! :slight_smile:

    Thanks for letting us know about the bug, I've notified our developers about this, so that it can be looked into more.

    From what I understand presently, it does in fact store the regex entered in the database, so it gets saved like this:

    ^(http(?:s)?:\/\/)(.+)(\.)(\w{3,4})(\/members)((?!.*)|(\/{1})|(\b))

    But, when you go to edit the URL group again, Membership renders it like this:

    ^(http(?:s)?://)(.+)(.)(w{3,4})(/members)((?!.*)|(/{1})|(b))

    Even though nothing's actually changed in the database yet.

    Regards,
    Michael

  • Wes Jordan

    Hi @Rheinard,

    First, I found out that I had magic quotes turned on. cPanel is using the php.ini located in the public_html directory of my site instead of the global php.ini. That copy had the magic_quotes settings remarked out which actually turns them on by default until php 5.4 and I'm running 5.3.24. I unremarked those 3 lines and reloaded Apache which turned magic quotes off.

    That still didn't solve my problem so here's how I resolved it:

    BUG #1
    @Michael Bissett was correct in that the regex is being stored correctly in the database. The problematic code is on line 81 in the file: membership/membershipincludes/classes/class.urlgroup.php

    echo esc_textarea( stripslashes( $this->group->groupurls ) )

    I replaced that with:

    echo esc_textarea( get_magic_quotes_runtime() ? stripslashes($this->group->groupurls) : $this->group->groupurls );

    Now the regex is being properly displayed in the Page URLs textarea. I'm able to save it and it comes back exactly the same.

    BUG #2
    That got me thinking about something. Why did double backslashes work to secure my /members area? I checked the members area of the site as a not-logged-in user and sure enough it was no longer protected.

    I tried finding the place in the plugin's code where this is happening and had no luck. So for now, the first bug is fixed and that created this new bug that I now need help with.

  • Wes Jordan

    @Rheinard, here are the steps to recreate Bug #2.

    These tests were performed on a system where Bug #1 has been fixed.

    MEMBERSHIP OPTIONS:
    Stranger access level: Visitors

    SETUP 1:
    1. Create URL Group
    -- Group name: Membership Area
    -- Page URL:
    ^(http(?:s)?:\/\/)(.+)(\.)(\w{3,4})(\/members)((?!.*)|(\/{1})|(\b))
    -- Strip QS: true
    -- RegEx: true

    2. Create Access Level
    -- Title: Pro Level
    -- Positive Rule: URL Groups->Membership Area
    ---- (Be sure to check manually check Membership Area box)

    3. Modify Access Level: 'Visitors'
    -- Negative Rule: URL Groups->Membership Area
    ---- (Be sure to check manually check Membership Area box)

    4. Create Subscription Plan
    -- Name: Pro Subscription
    -- Membership Levels: Pro Level
    -- Settings: $9.95 p/mth indefinite
    -- Remote Pings: none

    5. Create Page
    -- Name: Members Area
    -- Slug: members
    -- Parent: none

    6. Create Page
    -- Name: Member Downloads
    -- Slug: downloads
    -- Parent: Members Area

    TEST 1:
    1. If using a caching plugin, delete the site cache.
    2. Navigate to http://domain.com/members/
    3. Navigate to http://domain.com/members/downloads/

    RESULTS 1: In both cases the page is displayed.

    SETUP 2:
    1. Change Page URL of the 'Membership Area' URL Group to:
    ^(http(?:s)?:\\/\\/)(.+)(\\.)(\\w{3,4})(\\/members)((?!.*)|(\\/{1})|(\\b))

    TEST 2:
    1. If using a caching plugin, delete the site cache.
    2. Navigate to http://domain.com/members/
    3. Navigate to http://domain.com/members/downloads/

    RESULTS 2: In both cases the page redirects to the 'Protected content page'.

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.