[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only
WordPress Trac
wp-trac at lists.automattic.com
Mon Dec 28 02:38:37 UTC 2009
#11605: wpdb::_weak_escape() is an alias to addslashes only
------------------------------+---------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: normal | Milestone: 3.0
Component: Security | Version: 2.9
Severity: normal | Resolution:
Keywords: has-patch tested |
------------------------------+---------------------------------------------
Comment(by hakre):
Replying to [comment:14 nacin]:
> Replying to [comment:11 hakre]:
> > I'm pretty shure those function-names start with {{{_}}} to signal
that they are inteded for private use.
> In this case, I would argue that if anything, they are for protected
use, not private. Many drop-ins replace wpdb::_real_escape() with a method
that calls, say, pg_escape_string() or sqllite_escape_string().
You are so damn smart that I want you to get even smarter. Please tell me
which programming related book you would like to get, I'll send it to you.
PHP 4 an protected function, I've never been so amused lately.
>
> Can we simplify this? Sure, we can change all references of
wpdb::_weak_escape() to addslashes(), and maybe even remove
wpdb::_weak_escape() when we're done. But unless we take it further as
Denis said and overhaul how wpdb escapes SQL, what is truly necessary?
Well, not much. I've updated the patch to reflect the needed changes for
the whole core code: 11605.5.patch
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:15>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list