[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Jun 28 03:53:48 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------+------------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: normal | Milestone: 2.3 (trunk)
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security |
---------------------------------------------------------------+------------
Comment (by markjaquith):
See patch (introduces the new method).
I've started going through WP core and moving to this type of escaping.
Thoughts so far:
* This will result in a net decrease in code
* It's not hard to make the change
* It makes places that lack adequate escaping GLARINGLY obvious.
* While going through, we can mark functions that expect pre-escaped
data, for fixing in 2.4, with {{{// pre-escaped}}}
* You escape literal % symbols with %% (two in a row). You have to
remember this for queries that use LIKE
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:2>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list