[wp-trac] [WordPress Trac] #12402: make addslashes_gpc() use addslashes() fix to use real_escape, rather than addslashes
WordPress Trac
wp-trac at lists.automattic.com
Sat Feb 27 02:44:20 UTC 2010
#12402: make addslashes_gpc() use addslashes() fix to use real_escape, rather than
addslashes
-------------------------------+--------------------------------------------
Reporter: Denis-de-Bernardy | Owner: ryan
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.0
Component: Security | Version: 3.0
Severity: normal | Keywords: has-patch needs-testing
-------------------------------+--------------------------------------------
If memory serves, the main problems with making wpdb->escape() point to
mysql_real_escape_string() were two:
1. mysql_real_escape_string() doesn't work on all platforms
2. mysql_real_escape_string() doesn't play well with unslashing
Point 1 is covered in wpdb->_real_escape().
The legacy fix to point 2, for some strange reason, led to disabling
mysql_real_escape_string() on platforms that could actually use it,
instead of using add_magic_quotes() where calls to
addslashes()/stripslashes() could occur.
r12961 partially fixes point 2. But only partially.
At the risk of re-opening the can of worms, the attached patch finishes
fixing point 2...:
- It changes addslashes_gpc() and esc_sql() so that they use
add_magic_quotes() instead.
- This frees wpdb->escape(), which can then be a true alias for
wpdb->_real_escape().
I've scanned trunk for occurrences of wpdb->escape() used on arrays --
there were none.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/12402>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list