[wp-hackers] E-mail address and SQL injection
Bob
wp-hackers at nj-arp.org
Sat Oct 27 23:42:51 GMT 2007
So it's still not clear to me if allowing quoted strings containing any
sequence of characters in an email address is safe.
----- Original Message -----
From: "Jacob" <wordpress at santosj.name>
To: <wp-hackers at lists.automattic.com>
Sent: Wednesday, October 24, 2007 9:50 PM
Subject: Re: [wp-hackers] E-mail address and SQL injection
> No, it in fact only just returns addslashes, as you can see from the 115
> returning addslashes and the comment saying to disable the rest because of
> some problems. It has been disabled for quite some time now. At least from
> my estimate since 2.2.
>
> Jacob Santos
>
> Peter Westwood wrote:
>>
>> On 24 Oct 2007, at 21:08, Abel Cheung wrote:
>>
>>> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
>>>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author'
>>>>> LIMIT 1");
>>>>>
>>>>> So this will be safe no matter what $author contains?
>>>>
>>>> This will be safe because in the line above $author is escaped.
>>>> ($wpdb->escape())
>>>
>>> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other non-multibyte
>>> charset.
>>> For multibyte charsets accepting backslash and single quote as the
>>> second
>>> byte, it is quite possible to perform SQL injection as escape() solely
>>> relies
>>> on add_slashes() but not mysql_real_escape_string(), so inserting a
>>> character
>>> where second byte is single quote may do it.
>>
>> $wpdb->escape uses mysql_real_escape_string() if available
>>
>> http://trac.wordpress.org/browser/trunk/wp-includes/wp-db.php#L112
>>
>> and has done for the past 2 years:
>>
>> http://trac.wordpress.org/changeset/2684
>>
>> westi
>
>
> --
>
> Jacob Santos
>
More information about the wp-hackers
mailing list