Make WordPress Core

Opened 19 years ago

Closed 19 years ago

Last modified 14 years ago

#1394 closed defect (bug) (fixed)

add_slashes() does not escape all database input correctly

Reported by: auroraeosrose's profile auroraeosrose Owned by:
Milestone: Priority: normal
Severity: major Version: 1.5.1.1
Component: Security Keywords:
Focuses: Cc:

Description

wp-db.php - the database class - the escape function uses add_slashes to try to escape data for sql use/insertion

This will fail under several methods

  1. Mysql in ansi mode
  2. NULL, \x00, \n, \r, \, " and \x1a characters not escaped
  3. Mysql 4.1 with a different character set or earlier versions when mysql is run in a different character set

mysql_escape_string() has been around since 4.0.3
since wordpress requires 4.1 it shouldn't be a problem

Attachments (1)

db.diff (667 bytes) - added by auroraeosrose 19 years ago.

Download all attachments as: .zip

Change History (8)

#2 @auroraeosrose
19 years ago

  • Patch set to No

@auroraeosrose
19 years ago

#3 @matt
19 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [2684]) Better escaping from class, fixes #1394

#4 @hakre
14 years ago

  • Keywords health-check added

The changes have been removed which means a downgrade to addslahes for many installations again. See #11819.

#5 @hakre
14 years ago

Changes were removed in [2737].

#6 @Denis-de-Bernardy
14 years ago

  • Keywords health-check removed

a check was added that prompts for mysql_real_escape()

#7 @hakre
14 years ago

Related: #9189

Note: See TracTickets for help on using tickets.