[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Mon Feb 15 12:15:57 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
-----------------------------------+----------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 3.0
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: dev-feedback featured |
-----------------------------------+----------------------------------------
Comment(by miqrogroove):
Replying to [comment:11 ryan]:
> I don't think we can do any real escaping in escape() because it will
reopen #9189. mysql_real_escape_string() is not reversible like
addslashes() is. Due to sordid history, most WP functions expect slashed
data. Those slashes are then stripped and prepare is used. If data is
passed real escaped, unslashing won't necessarily work. We can expose
real_escape() or something similar though. Plugins have to to keep in
mind that this should be used only when doing its own queries, not when
passing things to WP API functions.
I think this reasoning became obsolete in [12961]. Mark helped me get
that committed because some of the like_escape() logic was looking
unpossible without a clean input path. According to Mark, slashed inputs
were never intended to be touched by any DB logic, and never will be.
They are now officially separate.
This might be the key to moving forward with SQL sanity.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:22>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list