[wp-trac] [WordPress Trac] #3286: Handling of escape sequences is
muddled and non-compatible
WordPress Trac
wp-trac at lists.automattic.com
Thu Oct 26 13:59:25 GMT 2006
#3286: Handling of escape sequences is muddled and non-compatible
----------------------+-----------------------------------------------------
Reporter: cdavies | Owner: anonymous
Type: defect | Status: new
Priority: high | Milestone:
Component: Security | Version: 2.0.4
Severity: major | Keywords:
----------------------+-----------------------------------------------------
Wordpress should use SQL-style escape sequences in its SQL statements, and
HTML style escape sequences in its output to the browser. Instead, it uses
C-style escape sequences in its SQL.
This causes Wordpress not to function correctly with MySQL in
NO_BACKSLASH_ESCAPES mode, and makes porting to other DBMS such as SQLite
difficult.
The fix for this problem is to remove all instances of addslashes(...)
from the code, and rewrite the escape function in wp-db.php.
While I was checking this defect was not a duplicate, I also noticed a
security defect reported against an ancient version of wordpress took
issue with the way SQL was escaped, the fix for that appears to have
regressed.
--
Ticket URL: <http://trac.wordpress.org/ticket/3286>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list