[wp-trac] [WordPress Trac] #11605: esc_sql does not escape sql, it just adds slashes
WordPress Trac
wp-trac at lists.automattic.com
Sun Dec 27 11:06:18 UTC 2009
#11605: esc_sql does not escape sql, it just adds slashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: closed
Priority: normal | Milestone:
Component: Security | Version:
Severity: normal | Resolution: invalid
Keywords: |
--------------------------+-------------------------------------------------
Changes (by nacin):
* keywords: has-patch =>
* status: new => closed
* version: 2.9 =>
* resolution: => invalid
* milestone: 3.0 =>
Comment:
esc_sql() is not an alias for addslashes(). It is an alias for
$wpdb->escape(), big difference:
Anyone using a drop-in wpdb replacement would suddenly find their SQL
unescaped.
wpdb->escape() supports arrays.
This change might cause some developers to simply use addslashes() instead
of esc_sql(). $wpdb->escape() used to be set up to do more than
addslashes(), and may evolve in the future. (Also take a look at the
_escape and _real_escape methods.) Thus, definitely not easier to improve
in the future.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list