[wp-hackers] WordPress Charset SQL Injection Vulnerability

Otto otto at ottodestruct.com
Sun Dec 16 10:17:03 GMT 2007


On 12/16/07, DD32 <wordpress at dd32.id.au> wrote:
> > On Dec 15, 2007 10:10 PM, Jeremy Visser <jeremy.visser at gmail.com> wrote:
> Just to throw a thought out about this quickly:
> Currently WP connects to the database as soon as its loaded, correct? Regardless of if any queries are going to be made.
>
> This happens before any caching plugins have a chance to take over,

No. It includes the advanced-cache.php file before it connects to the
DB. Assuming the caching plugin returns a cached page and exits, the
DB never gets connected to.

WP-Cache does this correctly. WP-Super-Cache bypasses PHP entirely by
generating HTML files that are served statically (via a rewriterule in
.htaccess).


More information about the wp-hackers mailing list