WordPress.org

Make WordPress Core

Opened 10 years ago

Closed 10 years ago

Last modified 9 years ago

#2458 closed defect (bug) (invalid)

postmeta data not escaped

Reported by: bungeman Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0.1
Component: Administration Keywords: escape, slash, bg|has-patch
Focuses: Cc:

Description

Occurs while trying to import from Moveabletype on a Windows machine. Windows uses forward slashes '\' for directories, but for SQL these are escape characters. The values sent to the INSERT query are being escaped.

Attachments (2)

postmeta_not_escaped.diff (709 bytes) - added by bungeman 10 years ago.
escapes the id, key, and value when creating post meta data
importfilenotescaped.diff (879 bytes) - added by bungeman 10 years ago.
escapes the values before creating the post

Download all attachments as: .zip

Change History (8)

@bungeman
10 years ago

escapes the id, key, and value when creating post meta data

#1 @bungeman
10 years ago

  • Keywords bg|has-patch added

#2 @ryan
10 years ago

They should be passed in already escaped. This change will result in double escaping for those who already escape.

#3 @bungeman
10 years ago

Why is escaping always done so high in the food chain? This seems to be common throughout the code. It would seem that this duplication of information would be nothing but a giant headache. Since escaping should only be done in order to create queries, all $wpdb->escape() calls should only be used in the (direct) creation of query strings. If a variable will be used to hold a value escaped in this way it should carry something like db_x, since it duplicates information. At the very least there needs to be some documentation on which kind a function takes, escaped or non-escaped.

@bungeman
10 years ago

escapes the values before creating the post

#4 @bungeman
10 years ago

  • Milestone set to 2.1

#5 @matt
10 years ago

  • Resolution set to invalid
  • Status changed from new to closed

#6 @Nazgul
9 years ago

  • Milestone 2.1 deleted
Note: See TracTickets for help on using tickets.