[wp-trac] [WordPress Trac] #11819: mysql_real_escape_string available now / PHP 4.3 are minimum system requirements since 2.9

WordPress Trac wp-trac at lists.automattic.com
Fri Jan 8 04:41:35 UTC 2010 

#11819: mysql_real_escape_string available now / PHP 4.3 are minimum system
requirements since 2.9
--------------------------+-------------------------------------------------
 Reporter:  hakre         |       Owner:  ryan       
     Type:  defect (bug)  |      Status:  new        
 Priority:  high          |   Milestone:  2.9.2      
Component:  Security      |     Version:  2.9.1      
 Severity:  critical      |    Keywords:  needs-patch
--------------------------+-------------------------------------------------
 Good news for security: Since about 20 days 2.9 is now released which
 raised the minimum PHP requirements to version 4.3. A benefit of that
 version is that it provides and important function to prevent SQL
 Injections:

   [http://php.net/manual/en/function.mysql-real-escape-string.php
 mysql_real_escape_string()]

 Writing those lines as of today might look a bit akward, but until today
 there were already multiple tries to get escaping data for the database
 properly done incl. the use of mysql_real_escape_string. A first try was
 done in [2684] as a fix for #1394. I can not say it better in my own words
 then the ticket's description:

   add_slashes() does not escape all database input correctly

 That was for WordPress Version 1.5 that time 5 years ago by now. But those
 changes have been reverted in [2737] where matt described his own code as
 ''"It falls back to funky escaping that causes problems and is not
 reversible, so temporarily disabling."''. There is no ticket available
 related to that changeset so this is the only documentation we have why
 that is removed.

 I '''strongly''' doubt that ''mysql_real_escape_string()'' is broken and I
 see absolutely no argument to not use it from now on whenever something
 needs to be escaped for database queries and a resource link to the MySQL
 connection is available.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11819>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list