Make WordPress Core

Opened 12 years ago

Closed 12 years ago

Last modified 12 years ago

#21548 closed defect (bug) (invalid)

Wrong mysql_set_charset() params order in wp-db.php

Reported by: gubnota's profile gubnota Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.2
Component: Database Keywords:
Focuses: Cc:

Description

Potential SQL injection vulnerability found in wp-includes/wp-db.php where mysql_set_charset() execution in class wpdb->set_charset() has wrong param order.
Whereas it should be:

mysql_set_charset( $dbh, $charset );

It is:

mysql_set_charset( $charset, $dbh );

In some cases it causes MySQL to use default latin1 encoding.

Change History (3)

#1 @dd32
12 years ago

as per the PHP Docs, the order is correct:

bool mysql_set_charset ( string $charset [, resource $link_identifier = NULL ] )

#2 @dd32
12 years ago

  • Keywords has-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

#3 @SergeyBiryukov
12 years ago

Also, you might have seen this when creating the ticket:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….

Note: See TracTickets for help on using tickets.