From 1c7186138b8da6642c5be40f938ffb6e3b295a91 Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Wed, 15 Oct 2025 09:47:19 +0800
Subject: [PATCH 1/6] Fix: Prevents invalid wp-config.php when passwords
 contain double quotes

---
 features/config-create.feature | 16 ++++++++++++++++
 src/Config_Command.php         |  3 ++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/features/config-create.feature b/features/config-create.feature
index 536f1859..ef7bfac7 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -243,6 +243,22 @@ Feature: Create a wp-config file
       PasswordWith'SingleQuotes'
       """
 
+  Scenario: Passwords with special characters and double quotes
+    Given an empty directory
+    And WP files
+
+    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='p@(ss){w0r?d><}"!With"DoubleQuotes'`
+    Then the wp-config.php file should contain:
+      """
+      define( 'DB_PASSWORD', 'p@(ss){w0r?d><}"!With"DoubleQuotes' )
+      """
+
+    When I run `wp config get DB_PASSWORD`
+    Then STDOUT should be:
+      """
+      p@(ss){w0r?d><}"!With"DoubleQuotes
+      """
+
   @require-mysql @require-mysql-5.7
   Scenario: Configure with required SSL connection
     Given an empty directory
diff --git a/src/Config_Command.php b/src/Config_Command.php
index 5b76aba0..38cbf37f 100644
--- a/src/Config_Command.php
+++ b/src/Config_Command.php
@@ -1240,7 +1240,8 @@ private function escape_config_value( $key, $value ) {
 		}
 
 		if ( is_string( $value ) ) {
-			return addslashes( $value );
+			// For single-quoted strings, only escape single quotes; double quotes don't need escaping
+			return str_replace( "'", "\\'", $value );
 		}
 
 		return $value;

From 900416bd14b9f6db261fff79d601198dc4c060b7 Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Sun, 26 Oct 2025 16:17:16 +0800
Subject: [PATCH 2/6] Fix: Escape backslashes first before single quotes

---
 src/Config_Command.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Config_Command.php b/src/Config_Command.php
index 38cbf37f..80fe755d 100644
--- a/src/Config_Command.php
+++ b/src/Config_Command.php
@@ -1240,8 +1240,9 @@ private function escape_config_value( $key, $value ) {
 		}
 
 		if ( is_string( $value ) ) {
-			// For single-quoted strings, only escape single quotes; double quotes don't need escaping
-			return str_replace( "'", "\\'", $value );
+			$value = str_replace( '\\', '\\\\', $value );  // Escape backslashes first
+			$value = str_replace( "'", "\\'", $value );    // Then escape single quotes
+			return $value;
 		}
 
 		return $value;

From 0b24d5157365f58fbd7a3c8f66e92f1d34799c6b Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Tue, 28 Oct 2025 09:05:04 +0800
Subject: [PATCH 3/6] Test: Add teset scenario for password with double
 backslash

---
 features/config-create.feature | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/features/config-create.feature b/features/config-create.feature
index ef7bfac7..b5212471 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -216,6 +216,12 @@ Feature: Create a wp-config file
       define( 'DB_HOST', 'localhost:{SOCKET}' );
       """
 
+    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'`
+    Then the wp-config.php file should contain:
+      """
+      define( 'DB_PASSWORD', 'my\\\\password' )
+      """
+
   @require-php-7.0
   Scenario: Configure with salts generated
     Given an empty directory

From b35b5cfcbb06f72f09d03b968c08ce20e880c7bf Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Wed, 29 Oct 2025 11:24:58 +0800
Subject: [PATCH 4/6] Fix: Failing test unit

---
 features/config-create.feature | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/features/config-create.feature b/features/config-create.feature
index b5212471..6f6b11b5 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -216,12 +216,6 @@ Feature: Create a wp-config file
       define( 'DB_HOST', 'localhost:{SOCKET}' );
       """
 
-    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'`
-    Then the wp-config.php file should contain:
-      """
-      define( 'DB_PASSWORD', 'my\\\\password' )
-      """
-
   @require-php-7.0
   Scenario: Configure with salts generated
     Given an empty directory
@@ -265,6 +259,12 @@ Feature: Create a wp-config file
       p@(ss){w0r?d><}"!With"DoubleQuotes
       """
 
+    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'` --force
+    Then the wp-config.php file should contain:
+      """
+      define( 'DB_PASSWORD', 'my\\\\password' )
+      """
+
   @require-mysql @require-mysql-5.7
   Scenario: Configure with required SSL connection
     Given an empty directory

From 6415fe7ef72ffa3aadf35195b6f6cb96047e473c Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Wed, 29 Oct 2025 11:42:04 +0800
Subject: [PATCH 5/6] Test: Move into dedicated scenario since using --false
 key failed

---
 features/config-create.feature | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/features/config-create.feature b/features/config-create.feature
index 6f6b11b5..05596499 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -259,11 +259,21 @@ Feature: Create a wp-config file
       p@(ss){w0r?d><}"!With"DoubleQuotes
       """
 
+  Scenario: Passwords with backslash should properly escaped
+    Given an empty directory
+    And WP files
+  
     When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'` --force
     Then the wp-config.php file should contain:
       """
       define( 'DB_PASSWORD', 'my\\\\password' )
       """
+    
+    When I run `wp config get DB_PASSWORD`
+    Then STDOUT should be:
+      """
+      my\\password
+      """
 
   @require-mysql @require-mysql-5.7
   Scenario: Configure with required SSL connection

From b17a5ada13747ce2a4150a6ffc7f10ed13d115b3 Mon Sep 17 00:00:00 2001
From: Rolly Bueno <rollybueno@gmail.com>
Date: Wed, 29 Oct 2025 11:46:32 +0800
Subject: [PATCH 6/6] Test: Remove --force flag for the new scenario

---
 features/config-create.feature | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/features/config-create.feature b/features/config-create.feature
index 05596499..85549eb5 100644
--- a/features/config-create.feature
+++ b/features/config-create.feature
@@ -263,7 +263,7 @@ Feature: Create a wp-config file
     Given an empty directory
     And WP files
   
-    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'` --force
+    When I run `wp config create --skip-check --dbname=somedb --dbuser=someuser --dbpass='my\\password'`
     Then the wp-config.php file should contain:
       """
       define( 'DB_PASSWORD', 'my\\\\password' )