[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Wed Feb 6 18:09:18 GMT 2008
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.6
Component: Security | Version: 2.5
Severity: normal | Resolution:
Keywords: has-patch |
-----------------------+----------------------------------------------------
Comment (by ryan):
Last time we tried to switch to mysql_real_escape_string(), it stomped
characters for lots of people. Part of that was because of bugs in
mysql_real_escape_string(), IIRC, some of which were addressed by
mysql_set_charset(). To safely use mysql_real_escape_string(), I think we
have to have mysql_set_charset() and MySQL 5.0.7 and the user needs to
define DB_CHARSET to match his tables. There's also the possibility I
don't know what I'm talking about.
http://ilia.ws/archives/103-mysql_real_escape_string-versus-Prepared-
Statements.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html
http://dev.mysql.com/doc/refman/5.0/es/mysql-real-escape-string.html
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:20>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list