[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 6 16:34:13 GMT 2008
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.6
Component: Security | Version: 2.5
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by pishmishy):
Oh and in your patch I think that
{{{
function escape($string)
}}}
Can just be
{{{
function escape($string) { return mysql_real_escape_string( $string,
$this->dbh ); }
}}}
The problem isn't that we can't use mysql_real_escape_string() for some
character sets - just that it doesn't always do what's expected. Since
addslashes() doesn't either - I think we might well just use
mysql_real_escape_string() and make the code simple. I hope that makes
sense =)
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:15>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list