WordPress.org

Make WordPress Core

Opened 4 years ago

Closed 4 years ago

#11788 closed enhancement (fixed)

barely sanitized strings are put straight in the database in ms-site.php

Reported by: Denis-de-Bernardy Owned by:
Milestone: 3.0 Priority: normal
Severity: major Version: 3.0
Component: Multisite Keywords:
Focuses: Cc:

Description

there arguably are magic quotes, but it's freaky scary to read things such as:

$s = wp_specialchars( trim( $_GET[ 's' ] ) );
...
" AND ( {$wpdb->blogs}.domain LIKE '%{$s}%' OR {$wpdb->blogs}.path LIKE '%{$s}%' ) ";

Change History (2)

comment:1 ninjaWR4 years ago

  • Milestone changed from Future Release to 3.0
  • Severity changed from normal to major

Should be fixed before 3.0 ships, IMO

comment:2 nacin4 years ago

  • Resolution set to fixed
  • Status changed from new to closed

#11644. Both fixed at some point.

Note: See TracTickets for help on using tickets.