[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Fri Jan 8 18:24:48 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: high | Milestone:
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: dev-feedback |
--------------------------+-------------------------------------------------
Comment(by ryan):
I don't think we can do any real escaping in escape() because it will
reopen #9189. mysql_real_escape_string() is not reversible like
addslashes() is. Due to sordid history, most WP functions expect slashed
data. Those slashes are then stripped and prepare is used. If data is
passed real escaped, unslashing won't necessarily work. We can expose
real_escape() or something similar though. Plugins have to to keep in
mind that this should be used only when doing its own queries, not when
passing things to WP API functions.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list