[wp-hackers] E-mail address and SQL injection

Robin Adrianse robin.adr at gmail.com
Sat Oct 27 23:55:04 GMT 2007


It's perfectly safe. If you're worried about SQL injection, there are quite
a few safeguards against that.

On 10/27/07, Bob <wp-hackers at nj-arp.org> wrote:
>
> So it's still not clear to me if allowing quoted strings containing any
> sequence of characters in an email address is safe.
>
>
> ----- Original Message -----
> From: "Jacob" <wordpress at santosj.name>
> To: <wp-hackers at lists.automattic.com>
> Sent: Wednesday, October 24, 2007 9:50 PM
> Subject: Re: [wp-hackers] E-mail address and SQL injection
>
>
> > No, it in fact only just returns addslashes, as you can see from the 115
> > returning addslashes and the comment saying to disable the rest because
> of
> > some problems. It has been disabled for quite some time now. At least
> from
> > my estimate since 2.2.
> >
> > Jacob Santos
> >
> > Peter Westwood wrote:
> >>
> >> On 24 Oct 2007, at 21:08, Abel Cheung wrote:
> >>
> >>> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
> >>>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE
> user_email='$author'
> >>>>> LIMIT 1");
> >>>>>
> >>>>> So this will be safe no matter what $author contains?
> >>>>
> >>>> This will be safe because in the line above $author is escaped.
> >>>> ($wpdb->escape())
> >>>
> >>> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other
> non-multibyte
> >>> charset.
> >>> For multibyte charsets accepting backslash and single quote as the
> >>> second
> >>> byte, it is quite possible to perform SQL injection as escape() solely
> >>> relies
> >>> on add_slashes() but not mysql_real_escape_string(), so inserting a
> >>> character
> >>> where second byte is single quote may do it.
> >>
> >> $wpdb->escape uses mysql_real_escape_string() if available
> >>
> >> http://trac.wordpress.org/browser/trunk/wp-includes/wp-db.php#L112
> >>
> >> and has done for the past 2 years:
> >>
> >> http://trac.wordpress.org/changeset/2684
> >>
> >> westi
> >
> >
> > --
> >
> > Jacob Santos
> >
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list