[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 8 05:45:38 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: closed
Priority: high | Milestone:
Component: Security | Version: 2.9.1
Severity: critical | Resolution: invalid
Keywords: dev-feedback |
--------------------------+-------------------------------------------------
Changes (by ryan):
* status: new => closed
* resolution: => invalid
* milestone: Unassigned =>
Comment:
We do use it if mysql_set_charset() is available and the charset is set.
It is done with prepare(), insert(), and update() which covers all core
queries. It is not done in escape() for plugin compat reasons. Plugins
should use prepare(), insert() or update() to get real escaping.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:3>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list