[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only
WordPress Trac
wp-trac at lists.automattic.com
Sun Dec 27 22:38:14 UTC 2009
#11605: wpdb::_weak_escape() is an alias to addslashes only
------------------------------+---------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 3.0
Component: Security | Version: 2.9
Severity: normal | Resolution:
Keywords: has-patch tested |
------------------------------+---------------------------------------------
Comment(by nacin):
Replying to [comment:11 hakre]:
> I'm pretty shure those function-names start with {{{_}}} to signal that
they are inteded for private use.
In this case, I would argue that if anything, they are for protected use,
not private. Many drop-ins replace wpdb::_real_escape() with a method that
calls, say, pg_escape_string() or sqllite_escape_string().
Can we simplify this? Sure, we can change all references of
wpdb::_weak_escape() to addslashes(), and maybe even remove
wpdb::_weak_escape() when we're done. But unless we take it further as
Denis said and overhaul how wpdb escapes SQL, what is truly necessary?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list