[wp-trac] [WordPress Trac] #11819: Use mysql_real_escape_string instead of addslashes
WordPress Trac
wp-trac at lists.automattic.com
Sun Jan 17 03:25:19 UTC 2010
#11819: Use mysql_real_escape_string instead of addslashes
--------------------------+-------------------------------------------------
Reporter: hakre | Owner: ryan
Type: defect (bug) | Status: reopened
Priority: high | Milestone: 3.0
Component: Security | Version: 2.5
Severity: critical | Resolution:
Keywords: dev-feedback |
--------------------------+-------------------------------------------------
Comment(by hakre):
Replying to [comment:10 ryan]:
> I'll provide more background in hopes I can point to this ticket the
next time it comes up.
>
> mysql_set_charset()and its counterpart mysql_set_character_set() in
MySQL are needed to properly set the internal encoding used by
mysql_real_escape_string() and other functions. SET NAMES is not
sufficient.
I had the fear that you refer to it, but I could not find any source that
is backing this up. Can you please name precisely the root cause why
mysql_real_escape_string() should not be save by using "SET NAMES"?
----
Regarding to the usage of database escape functions as a tool of general
use by some users. I think this is the fault of those users and not of the
API. I mean we are talking here about the DB class and it's not a general
escaping class.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/11819#comment:14>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list