#1394 closed defect (bug) (fixed)
add_slashes() does not escape all database input correctly
Reported by: | auroraeosrose | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | major | Version: | 1.5.1.1 |
Component: | Security | Keywords: | |
Focuses: | Cc: |
Description
wp-db.php - the database class - the escape function uses add_slashes to try to escape data for sql use/insertion
This will fail under several methods
- Mysql in ansi mode
- NULL, \x00, \n, \r, \, " and \x1a characters not escaped
- Mysql 4.1 with a different character set or earlier versions when mysql is run in a different character set
mysql_escape_string() has been around since 4.0.3
since wordpress requires 4.1 it shouldn't be a problem
Attachments (1)
Change History (8)
Note: See
TracTickets for help on using
tickets.
(In [2684]) Better escaping from class, fixes #1394