[wp-trac] [WordPress Trac] #12416: *_option(), *_transient() and *_meta() functions should all expect unslashed data.
WordPress Trac
wp-trac at lists.automattic.com
Tue Apr 20 01:54:03 UTC 2010
#12416: *_option(), *_transient() and *_meta() functions should all expect
unslashed data.
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: defect (bug) | Status: new
Priority: high | Milestone: 3.0
Component: Security | Version: 3.0
Severity: blocker | Keywords: needs-testing
-------------------------------+--------------------------------------------
Comment(by jamescollins):
In [13673], some {{{$wpdb->prepare()}}} calls were introduced that use
{{{'%s'}}} instead of {{{%s}}}.
According to http://core.trac.wordpress.org/browser/trunk/wp-includes/wp-
db.php#L856, these should be left unquoted.
As per http://core.trac.wordpress.org/browser/trunk/wp-includes/wp-
db.php#L884), this won't actually cause problems, however I still think
the instances of {{{'%s'}}} should be changed to {{{%s}}} in
{{{$wpdb->prepare()}}} calls.
There are 3 instances of this in [13673].
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12416#comment:20>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list