[wp-trac] Re: [WordPress Trac] #4553: Consider using local
prepared-statement/sprintf()-like system for last-second SQL
escaping
WordPress Trac
wp-trac at lists.automattic.com
Thu Sep 27 07:37:56 GMT 2007
#4553: Consider using local prepared-statement/sprintf()-like system for last-
second SQL escaping
---------------------------------------------------------------------+------
Reporter: markjaquith | Owner: markjaquith
Type: task | Status: assigned
Priority: high | Milestone: 2.4
Component: Security | Version: 2.3
Severity: normal | Resolution:
Keywords: sql prepared statement sprintf injection security early |
---------------------------------------------------------------------+------
Comment (by markjaquith):
I'm going to be working my way though wp-includes alphabetically, then wp-
admin. I'm also looking for places where prepare() can't be cleanly
implemented (place that expect data to already be slashed). I'm making up
those areas like so:
{{{
// expected_slashed ($variable1, $variable2)
}}}
That way, if we decide to change those functions so they expect unslashed
data, we know where to look.
Also, I skipped prepare()ing a few complicated queries constructed by a
lot of branched PHP logic.
--
Ticket URL: <http://trac.wordpress.org/ticket/4553#comment:18>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list