[wp-hackers] E-mail address and SQL injection
Jacob
wordpress at santosj.name
Thu Oct 25 01:50:08 GMT 2007
No, it in fact only just returns addslashes, as you can see from the 115
returning addslashes and the comment saying to disable the rest because
of some problems. It has been disabled for quite some time now. At least
from my estimate since 2.2.
Jacob Santos
Peter Westwood wrote:
>
> On 24 Oct 2007, at 21:08, Abel Cheung wrote:
>
>> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
>>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author'
>>>> LIMIT 1");
>>>>
>>>> So this will be safe no matter what $author contains?
>>>
>>> This will be safe because in the line above $author is escaped.
>>> ($wpdb->escape())
>>
>> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other
>> non-multibyte charset.
>> For multibyte charsets accepting backslash and single quote as the
>> second
>> byte, it is quite possible to perform SQL injection as escape()
>> solely relies
>> on add_slashes() but not mysql_real_escape_string(), so inserting a
>> character
>> where second byte is single quote may do it.
>
> $wpdb->escape uses mysql_real_escape_string() if available
>
> http://trac.wordpress.org/browser/trunk/wp-includes/wp-db.php#L112
>
> and has done for the past 2 years:
>
> http://trac.wordpress.org/changeset/2684
>
> westi
--
Jacob Santos
http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.
Also known as darkdragon and santosj on WP trac.
More information about the wp-hackers
mailing list