Improper DB configuration is a problem for esoteric server character sets

[nacin]

If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(), and in turn, mysql_real_escape_string() is avoided.

We should instead always call mysql_real_escape_string(). As long as we have a DB connection — and upon construction of wpdb, we will — then the MySQL server will handle escaping, even if mysql_set_charset() is not called.

This is ultimately a configuration issue. If you are using a character set like BIG5 or GBK, you really need to be defining and setting DB_CHARSET.

The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if your server's character set is utf8, latin1, and a number of other lesser-used values, this has no practical effect. A large sampling of WordPress sites were checked and none were found to have a vulnerable configuration.

This has been reviewed by the WP security team for inclusion in WordPress 3.6.

In 24712:

Always use mysql_real_escape_string(), even when DB_CHARSET is not properly set. fixes #24773.

This is a bit too aggressive and can break a database drop-in that connects to a database (and sets $this->dbh) on the fly, based on the dataset being acted upon. In particular, HyperDB.

In 24758:

Check that we have a database connection in wpdb::_real_escape(). see #24773.