[wp-hackers] E-mail address and SQL injection
Peter Westwood
peter.westwood at ftwr.co.uk
Wed Oct 24 20:14:12 GMT 2007
On 24 Oct 2007, at 21:08, Abel Cheung wrote:
> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE
>>> user_email='$author'
>>> LIMIT 1");
>>>
>>> So this will be safe no matter what $author contains?
>>
>> This will be safe because in the line above $author is escaped.
>> ($wpdb->escape())
>
> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other non-
> multibyte charset.
> For multibyte charsets accepting backslash and single quote as the
> second
> byte, it is quite possible to perform SQL injection as escape()
> solely relies
> on add_slashes() but not mysql_real_escape_string(), so inserting a
> character
> where second byte is single quote may do it.
$wpdb->escape uses mysql_real_escape_string() if available
http://trac.wordpress.org/browser/trunk/wp-includes/wp-db.php#L112
and has done for the past 2 years:
http://trac.wordpress.org/changeset/2684
westi
--
Peter Westwood <peter.westwood at ftwr.co.uk>
Blog: http://blog.ftwr.co.uk/
WordPress Plugins: http://blog.ftwr.co.uk/wordpress/
More information about the wp-hackers
mailing list