[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only (was: esc_sql does not escape sql, it just adds slashes)

[WordPress Trac]

#11605: wpdb::_weak_escape() is an alias to addslashes only
--------------------------+-------------------------------------------------
 Reporter:  hakre         |        Owner:  ryan    
     Type:  defect (bug)  |       Status:  reopened
 Priority:  normal        |    Milestone:  3.0     
Component:  Security      |      Version:  2.9     
 Severity:  normal        |   Resolution:          
 Keywords:  has-patch     |  
--------------------------+-------------------------------------------------
Changes (by hakre):

  * status:  closed => reopened
  * version:  => 2.9
  * milestone:  => 3.0
  * keywords:  => has-patch
  * resolution:  invalid =>


Comment:

 FYI 1: from [http://codex.wordpress.org/Data_Validation wordpress codex]:
 {{{
 esc_sql( $text ) (since 2.8)
 $wpdb->escape( $text )
 Escapes a single string for use in a SQL query. Glorified addslashes().
 }}}

 FYI 2: from esc_sql function documentation:
 {{{
 /**
  * Escapes data for use in a MySQL query
  *
  * This is just a handy shortcut for $wpdb->escape(), for completeness'
 sake
  *
  * @since 2.8.0
  * @param string $sql Unescaped SQL data
  * @return string The cleaned $sql
  */
 }}}

 I must admit that I did not whink about the possibility to replace WPDB
 with an own implementation right. So the error is "only" in the default
 implementation and therefore changing esc_sql() is wrong.

 It is naturally in the default (not overwritten) implementation, function
 ''wpdb::_weak_escape()'' is the alias to ''addslashes()''. So that's the
 place where it must be corrected then.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software