Make WordPress Core

Opened 9 years ago

Closed 9 years ago

Last modified 4 years ago

#1394 closed defect (bug) (fixed)

add_slashes() does not escape all database input correctly

Reported by: auroraeosrose Owned by:
Milestone: Priority: normal
Severity: major Version:
Component: Security Keywords:
Focuses: Cc:


wp-db.php - the database class - the escape function uses add_slashes to try to escape data for sql use/insertion

This will fail under several methods

  1. Mysql in ansi mode
  2. NULL, \x00, \n, \r, \, " and \x1a characters not escaped
  3. Mysql 4.1 with a different character set or earlier versions when mysql is run in a different character set

mysql_escape_string() has been around since 4.0.3
since wordpress requires 4.1 it shouldn't be a problem

Attachments (1)

db.diff (667 bytes) - added by auroraeosrose 9 years ago.

Download all attachments as: .zip

Change History (8)

comment:2 auroraeosrose9 years ago

  • Patch set to No

auroraeosrose9 years ago

comment:3 matt9 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2684]) Better escaping from class, fixes #1394

comment:4 hakre4 years ago

  • Keywords health-check added

The changes have been removed which means a downgrade to addslahes for many installations again. See #11819.

comment:5 hakre4 years ago

Changes were removed in [2737].

comment:6 Denis-de-Bernardy4 years ago

  • Keywords health-check removed

a check was added that prompts for mysql_real_escape()

comment:7 hakre4 years ago

Related: #9189

Note: See TracTickets for help on using tickets.