WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

Last modified 7 years ago

#2458 closed defect (bug) (invalid)

postmeta data not escaped

Reported by: bungeman Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0.1
Component: Administration Keywords: escape, slash, bg|has-patch
Focuses: Cc:

Description

Occurs while trying to import from Moveabletype on a Windows machine. Windows uses forward slashes '\' for directories, but for SQL these are escape characters. The values sent to the INSERT query are being escaped.

Attachments (2)

postmeta_not_escaped.diff (709 bytes) - added by bungeman 8 years ago.
escapes the id, key, and value when creating post meta data
importfilenotescaped.diff (879 bytes) - added by bungeman 8 years ago.
escapes the values before creating the post

Download all attachments as: .zip

Change History (8)

bungeman8 years ago

escapes the id, key, and value when creating post meta data

comment:1 bungeman8 years ago

  • Keywords bg|has-patch added

comment:2 ryan8 years ago

They should be passed in already escaped. This change will result in double escaping for those who already escape.

comment:3 bungeman8 years ago

Why is escaping always done so high in the food chain? This seems to be common throughout the code. It would seem that this duplication of information would be nothing but a giant headache. Since escaping should only be done in order to create queries, all $wpdb->escape() calls should only be used in the (direct) creation of query strings. If a variable will be used to hold a value escaped in this way it should carry something like db_x, since it duplicates information. At the very least there needs to be some documentation on which kind a function takes, escaped or non-escaped.

bungeman8 years ago

escapes the values before creating the post

comment:4 bungeman8 years ago

  • Milestone set to 2.1

comment:5 matt7 years ago

  • Resolution set to invalid
  • Status changed from new to closed

comment:6 Nazgul7 years ago

  • Milestone 2.1 deleted
Note: See TracTickets for help on using tickets.