[wp-hackers] sql injection protected included?

Otto otto at ottodestruct.com
Tue Feb 28 19:17:56 UTC 2012


Yes, that is an SQL injection and it is exploitable. The plugin has
been closed, the author will be contacted.

In the future, please don't make security issues like this public
immediately. Contact plugins at wordpress.org or security at wordpress.org
first.

-Otto



On Tue, Feb 28, 2012 at 11:52 AM, Bjorn Wijers <burobjorn at gmail.com> wrote:
> Hi,
>
> I was looking at this plugin's file[1] and I was a bit surprised about it
> not using wpdb->prepare() for escaping user input in db queries.
>
> I've tried to abuse this (proving this plugin contains a mistake and fix
> it), but failed.
>
> It seems that WordPress is using it's own version of magic_quotes() called
> wp_magic_quotes() in wp-includes/load.php to actively prevent single quotes
> from being used in the wpdb->query()? Btw I'm sure magic_quotes() is off in
> my php.ini (although I do use the Suhosin Path). I'm using PHP 5.3.5.
>
> So why bother with wpdb->prepare() or any other higher level escape
> functions if WordPress is already (partially?) taken care of this?
>
> Just wondering, if some other people could have a look at this and perhaps
> enlighten me on sql injection protection and best practices (for WordPress
> plugins) given that I was under the impression one should always escape user
> input.
>
> [1] http://plugins.svn.wordpress.org/i-like-this/trunk/like.php
>
> Thanks in advance,
>
> Grtz
> BjornW
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list