[wp-trac] [WordPress Trac] #24773: Improper DB configuration is a problem for esoteric server character sets
WordPress Trac
noreply at wordpress.org
Tue Jul 16 14:07:07 UTC 2013
#24773: Improper DB configuration is a problem for esoteric server character sets
--------------------------+-----------------
Reporter: nacin | Owner:
Type: defect (bug) | Status: new
Priority: normal | Milestone: 3.6
Component: Database | Version:
Severity: normal | Keywords:
--------------------------+-----------------
If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(),
and in turn, mysql_real_escape_string() is avoided.
We should instead always call mysql_real_escape_string(). As long as we
have a DB connection — and upon construction of wpdb, we will — then the
MySQL server will handle escaping, even if mysql_set_charset() is not
called.
This is ultimately a configuration issue. If you are using a character set
like BIG5 or GBK, you really need to be defining and setting DB_CHARSET.
The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if
your server's character set is utf8, latin1, and a number of other lesser-
used values, this has no practical effect. A large sampling of WordPress
sites were checked and none were found to have a vulnerable configuration.
This has been reviewed by the WP security team for inclusion in WordPress
3.6.
--
Ticket URL: <http://core.trac.wordpress.org/ticket/24773>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list