[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes

WordPress Trac wp-trac at lists.automattic.com
Fri Jan 8 18:24:48 UTC 2010


#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
 Reporter:  hakre         |        Owner:  ryan    
     Type:  defect (bug)  |       Status:  reopened
 Priority:  high          |    Milestone:          
Component:  Security      |      Version:  2.5     
 Severity:  critical      |   Resolution:          
 Keywords:  dev-feedback  |  
--------------------------+-------------------------------------------------

Comment(by ryan):

 I don't think we can do any real escaping in escape() because it will
 reopen #9189.  mysql_real_escape_string() is not reversible like
 addslashes() is.  Due to sordid history, most WP functions expect slashed
 data. Those slashes are then stripped and prepare is used.  If data is
 passed real escaped, unslashing won't necessarily work.  We can expose
 real_escape() or something similar though.  Plugins have to to keep in
 mind that this should be used only when doing its own queries, not when
 passing things to WP API functions.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:11>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list