#24773 closed defect (bug) (fixed)
Improper DB configuration is a problem for esoteric server character sets
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.6 | Priority: | normal |
Severity: | normal | Version: | |
Component: | Database | Keywords: | |
Focuses: | Cc: |
Description
If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(), and in turn, mysql_real_escape_string() is avoided.
We should instead always call mysql_real_escape_string(). As long as we have a DB connection — and upon construction of wpdb, we will — then the MySQL server will handle escaping, even if mysql_set_charset() is not called.
This is ultimately a configuration issue. If you are using a character set like BIG5 or GBK, you really need to be defining and setting DB_CHARSET.
The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if your server's character set is utf8, latin1, and a number of other lesser-used values, this has no practical effect. A large sampling of WordPress sites were checked and none were found to have a vulnerable configuration.
This has been reviewed by the WP security team for inclusion in WordPress 3.6.
In 24712: