[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Dec 12 11:39:00 GMT 2007
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.5
Component: Security | Version: 2.4
Severity: normal | Resolution:
Keywords: |
-----------------------+----------------------------------------------------
Comment (by pishmishy):
Problem: set_charset() never exists in WordPress as it's only available
through the improved mysqli interface not mysql. Even so; won't your
suggestion still result in the vulnerability being present for people not
using the later versions of PHP and MySQL?
''Further notes that may help...
{{{(mb_detect_encoding($string)!="ASCII")}}} will detect multibyte
strings, {{{($this->charset != mysql_client_encoding($this->dbh))}}}
detects the mismatch between WordPress and db session's character sets.''
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:8>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list