id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
11819	Use mysql_real_escape_string instead of addslashes	hakre	ryan	"Good news for security: Since about 20 days 2.9 is now released which raised the minimum PHP requirements to version 4.3. A benefit of that version is that it provides and important function to prevent SQL Injections:

  [http://php.net/manual/en/function.mysql-real-escape-string.php mysql_real_escape_string()]

Writing those lines as of today might look a bit akward, but until today there were already multiple tries to get escaping data for the database properly done incl. the use of mysql_real_escape_string. A first try was done in [2684] as a fix for #1394. I can not say it better in my own words then the ticket's description:

  add_slashes() does not escape all database input correctly

That was for WordPress Version 1.5 that time 5 years ago by now. But those changes have been reverted in [2737] where matt described his own code as ''""It falls back to funky escaping that causes problems and is not reversible, so temporarily disabling.""''. There is no ticket available related to that changeset so this is the only documentation we have why that is removed.

I '''strongly''' doubt that ''mysql_real_escape_string()'' is broken and I see absolutely no argument to not use it from now on whenever something needs to be escaped for database queries and a resource link to the MySQL connection is available.
"	defect (bug)	closed	high		Security	2.5	critical	wontfix		secondv dkikizas@… nashwan.doaqan@…