[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Tue Dec 11 10:14:16 GMT 2007
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.5
Component: Security | Version: 2.4
Severity: normal | Resolution:
Keywords: |
-----------------------+----------------------------------------------------
Comment (by pishmishy):
It appears that mysql_real_escape_string() ignores any change of character
set during an established mysql session and continues to use the first
character set.
(See http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-
Statements.html)
The general fix to this problem appears to be prepared statements.
Or perhaps someone can code a better escaping function?
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:4>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list