[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes

WordPress Trac wp-trac at lists.automattic.com
Sun Jan 17 03:25:19 UTC 2010

#11819: Use mysql_real_escape_string instead of addslashes
 Reporter:  hakre         |        Owner:  ryan    
     Type:  defect (bug)  |       Status:  reopened
 Priority:  high          |    Milestone:  3.0     
Component:  Security      |      Version:  2.5     
 Severity:  critical      |   Resolution:          
 Keywords:  dev-feedback  |  

Comment(by hakre):

 Replying to [comment:10 ryan]:
 > I'll provide more background in hopes I can point to this ticket the
 next time it comes up.
 > mysql_set_charset()and its counterpart mysql_set_character_set() in
 MySQL are needed to properly set the internal encoding used by
 mysql_real_escape_string() and other functions.  SET NAMES is not
 I had the fear that you refer to it, but I could not find any source that
 is backing this up. Can you please name precisely the root cause why
 mysql_real_escape_string() should not be save by using "SET NAMES"?


 Regarding to the usage of database escape functions as a tool of general
 use by some users. I think this is the fault of those users and not of the
 API. I mean we are talking here about the DB class and it's not a general
 escaping class.

Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list