[wp-trac] Re: [WordPress Trac] #3036: theme-editor.php broken:
stripslashes() and add_magic_quotes() screw up CR LFs
WordPress Trac
wp-trac at lists.automattic.com
Wed Aug 16 01:58:48 GMT 2006
#3036: theme-editor.php broken: stripslashes() and add_magic_quotes() screw up CR
LFs
------------------------------+---------------------------------------------
Reporter: astounding | Owner: anonymous
Type: defect | Status: closed
Priority: normal | Milestone:
Component: Administration | Version: 2.0.4
Severity: major | Resolution: fixed
Keywords: theme-editor.php |
------------------------------+---------------------------------------------
Comment (by astounding):
Oh, here's a patch that really ought to be used. Since wp-db.php
currently just uses addslashes() for doing escaping, and since
add_magic_quotes() in functions.php really doesn't need anything more,
just move it directly to add_magic_quotes().
This opens the door to more database types for wp-db.php without breaking
how things currently work AS LONG AS before actual database calls, the
true database escaping code is called (and I haven't examined the code to
be sure of this). But if this is not the case, there are potential issues
already in existence.
This patch does NOT change things (security-wise) in any way, since
addslashes() is all that gets called via the wp-db.php escape() function
call. The above was just speculating about the future.
--- wp-includes/functions.php.orig Tue Aug 15 19:53:36 2006
+++ wp-includes/functions.php Tue Aug 15 19:54:22 2006
@@ -2148,7 +2148,7 @@
if ( is_array($v) ) {
$array[$k] = add_magic_quotes($v);
} else {
- $array[$k] = $wpdb->escape($v);
+ $array[$k] = addslashes($v);
}
}
return $array;
@@ -2503,4 +2503,4 @@
die();
}
-?>
\ No newline at end of file
+?>
--
Ticket URL: <http://trac.wordpress.org/ticket/3036>
WordPress Trac <http://wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list