[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 6 17:26:38 GMT 2008
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.6
Component: Security | Version: 2.5
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by ryan):
If mysql_set_charset() exists and MySQL >= 5.0.7, then call
mysql_set_charset() and use mysql_real_escape_string(). Otherwise we SET
NAMES (If MySQL >= 4.1.0) and continue to escape with slashes. That seems
conservative enough for 2.5. We can put that it and ask those on the
polyglots list to try it out and let us know if there are encoding issues.
Perhaps someday we can do as Drupal and enforce UTF-8 everywhere.
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:18>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list