WordPress.org

Make WordPress Core

Opened 21 months ago

Closed 21 months ago

Last modified 21 months ago

#21548 closed defect (bug) (invalid)

Wrong mysql_set_charset() params order in wp-db.php

Reported by: gubnota Owned by:
Milestone: Priority: normal
Severity: normal Version: 3.3.2
Component: Database Keywords:
Focuses: Cc:

Description

Potential SQL injection vulnerability found in wp-includes/wp-db.php where mysql_set_charset() execution in class wpdb->set_charset() has wrong param order.
Whereas it should be:

mysql_set_charset( $dbh, $charset );

It is:

mysql_set_charset( $charset, $dbh );

In some cases it causes MySQL to use default latin1 encoding.

Change History (3)

comment:1 dd3221 months ago

as per the PHP Docs, the order is correct:

bool mysql_set_charset ( string $charset [, resource $link_identifier = NULL ] )

comment:2 dd3221 months ago

  • Keywords has-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to invalid
  • Status changed from new to closed

comment:3 SergeyBiryukov21 months ago

Also, you might have seen this when creating the ticket:

Do not report potential security vulnerabilities here. Read the Security FAQ and email us at security@….

Note: See TracTickets for help on using tickets.