[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 27 22:38:14 UTC 2009


#11605: wpdb::_weak_escape() is an alias to addslashes only
------------------------------+---------------------------------------------
 Reporter:  hakre             |        Owner:  ryan    
     Type:  defect (bug)      |       Status:  reopened
 Priority:  normal            |    Milestone:  3.0     
Component:  Security          |      Version:  2.9     
 Severity:  normal            |   Resolution:          
 Keywords:  has-patch tested  |  
------------------------------+---------------------------------------------

Comment(by nacin):

 Replying to [comment:11 hakre]:
 > I'm pretty shure those function-names start with {{{_}}} to signal that
 they are inteded for private use.

 In this case, I would argue that if anything, they are for protected use,
 not private. Many drop-ins replace wpdb::_real_escape() with a method that
 calls, say, pg_escape_string() or sqllite_escape_string().

 Can we simplify this? Sure, we can change all references of
 wpdb::_weak_escape() to addslashes(), and maybe even remove
 wpdb::_weak_escape() when we're done. But unless we take it further as
 Denis said and overhaul how wpdb escapes SQL, what is truly necessary?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list