add_metadata() Fails to Store Serialized Values as BINARY
|Reported by:||miqrogroove||Owned by:||ryan|
WordPress stores corrupt values in post_metadata if there are any non-UTF-8 bytes in the meta_value.
Steps to reproduce:
Call add_metadata() with non-UTF-8 values such as a latin-1 copyright char.
Even though the serialized string goes through prepare() before the query, MySQL is required to truncate the invalid value being assigned to the meta_value field. The result is that the stored value can never be un-serialized.
This behavior can also be replicated by trying to inject CHAR(169) into any UTF-8 table query.
Change History (4)
comment:1 miqrogroove — 4 years ago
- Summary changed from add_metadata() Fails to Validate Inputs Before Serializing Them to add_metadata() Fails to Store Serialized Values as BINARY