[wp-trac] [WordPress Trac] #14672: DB: ::constructor() sets charset, ::db_connect() does not
WordPress Trac
wp-trac at lists.automattic.com
Mon Aug 23 13:32:22 UTC 2010
#14672: DB: ::constructor() sets charset, ::db_connect() does not
--------------------------+-------------------------------------------------
Reporter: hakre | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version:
Severity: normal | Keywords:
--------------------------+-------------------------------------------------
I just ran over duplicated code in wpdb regarding making use of the
mysql_connect function while looking into #14654. That smell lead me to
the reconnigtion of an inconsistency between the default contructor of the
class and the (undocumented) {{{db_connect()}}} function:
the constructor does make use of the blogs charset setting while
connecting to the database, while db_connect() does not contain anything
like that. This leaves db_connect() open to charset based sql injections.
Basically [10597] as a fix for #5455 is missing for db access that is
relying on db_connect() (Multisite?).
--
Ticket URL: <http://core.trac.wordpress.org/ticket/14672>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list