id	summary	reporter	owner	description	type	status	priority	milestone	component	version	severity	resolution	keywords	cc
12402	make addslashes_gpc() use addslashes() fix to use real_escape, rather than addslashes	Denis-de-Bernardy	ryan	"If memory serves, the main problems with making wpdb->escape() point to mysql_real_escape_string() were two:

 1. mysql_real_escape_string() doesn't work on all platforms
 2. mysql_real_escape_string() doesn't play well with unslashing

Point 1 is covered in wpdb->_real_escape().

The legacy fix to point 2, for some strange reason, led to disabling mysql_real_escape_string() on platforms that could actually use it, instead of using add_magic_quotes() where calls to addslashes()/stripslashes() could occur.

r12961 partially fixes point 2. But only partially.

At the risk of re-opening the can of worms, the attached patch finishes fixing point 2...:

 - It changes addslashes_gpc() and esc_sql() so that they use add_magic_quotes() instead.
 - This frees wpdb->escape(), which can then be a true alias for wpdb->_real_escape().

I've scanned trunk for occurrences of wpdb->escape() used on arrays -- there were none."	defect (bug)	new	normal	Future Release	Security	3.0	normal		has-patch needs-testing	westi