[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 8 10:44:45 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: closed
Priority: high | Milestone:
Component: Security | Version: 2.9.1
Severity: critical | Resolution: invalid
Keywords: dev-feedback |
--------------------------+-------------------------------------------------
Comment(by Denis-de-Bernardy):
Replying to [comment:3 ryan]:
> We do use it if mysql_set_charset() is available and the charset is set.
It is done with prepare(), insert(), and update() which covers all core
queries. It is not done in escape() for plugin compat reasons. Plugins
should use prepare(), insert() or update() to get real escaping.
Plugins also use escape() because prepare() has a messy/buggy syntax.
Please consider re-opening this.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:4>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list