[wp-hackers] WordPress Charset SQL Injection Vulnerability

DD32 wordpress at dd32.id.au
Sun Dec 16 10:26:08 GMT 2007


On Sun, 16 Dec 2007 21:17:03 +1100, Otto <otto at ottodestruct.com> wrote:

> On 12/16/07, DD32 <wordpress at dd32.id.au> wrote:
>> > On Dec 15, 2007 10:10 PM, Jeremy Visser <jeremy.visser at gmail.com> wrote:
>> Just to throw a thought out about this quickly:
>> Currently WP connects to the database as soon as its loaded, correct? Regardless of if any queries are going to be made.
>>
>> This happens before any caching plugins have a chance to take over,
>
> No. It includes the advanced-cache.php file before it connects to the
> DB. Assuming the caching plugin returns a cached page and exits, the
> DB never gets connected to.

oops, Mis-read the file :) I mixed the Advaned and Object cache include lines.

So yes.. If a HTML caching plugin is enabled the databse isnt hit/loaded.

However, The DB is still connected to even if the Object cache contains all the needed data though. 


More information about the wp-hackers mailing list