[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only
WordPress Trac
wp-trac at lists.automattic.com
Sun Dec 27 20:30:51 UTC 2009
#11605: wpdb::_weak_escape() is an alias to addslashes only
-----------------------------+----------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 3.0
Component: Security | Version: 2.9
Severity: normal | Resolution:
Keywords: has-patch close |
-----------------------------+----------------------------------------------
Changes (by nacin):
* keywords: has-patch => has-patch close
Comment:
-1.
Escaping in wpdb is abstracted into escape, _escape, _weak_escape and
_real_escape for very good reasons.
> It is naturally in the default (not overwritten) implementation,
function wpdb::_weak_escape() is the alias to addslashes().
You said it yourself.
As an example, you are again adversely affecting drop-ins, which can
extend and rewrite the wpdb class and replace methods. i.e. bbPress
extends wpdb and adds one method. A drop-in could extend wpdb and replace
_weak_escape, which suddenly would cease to be called by wpdb::escape. The
point here is the concept of abstraction, not even whether there exists a
drop-in that does this.
Suggest closing as invalid.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:8>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list