[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 8 12:51:48 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: closed
Priority: high | Milestone:
Component: Security | Version: 2.5
Severity: critical | Resolution: invalid
Keywords: dev-feedback |
--------------------------+-------------------------------------------------
Changes (by hakre):
* version: 2.9.1 => 2.5
Comment:
Replying to [comment:3 ryan]:
> We do use it if mysql_set_charset() is available and the charset is set.
It is done with prepare(), insert(), and update() which covers all core
queries. It is not done in escape() for plugin compat reasons. Plugins
should use prepare(), insert() or update() to get real escaping.
Which just means that for installations running below PHP 5.2.3 will not
have propper SQL escaping {{{[mysql_set_charset (PHP 5 >= 5.2.3)]}}}.
I see no technical reason why to not use it with a standard database
connection as well regardless of the usage of mysql_set_charset(). If you
can provide arguments which does actually prevent a usage in those cases,
please name those. If it's too technically, please link them at least.
I think it's a bad Idea to have that no in based only on assumptions years
ago. The changes-history does not show a clear picture here.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:5>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list