WordPress.org

Make WordPress Core

Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#24773 closed defect (bug) (fixed)

Improper DB configuration is a problem for esoteric server character sets

Reported by: nacin Owned by: nacin
Milestone: 3.6 Priority: normal
Severity: normal Version:
Component: Database Keywords:
Focuses: Cc:

Description

If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(), and in turn, mysql_real_escape_string() is avoided.

We should instead always call mysql_real_escape_string(). As long as we have a DB connection — and upon construction of wpdb, we will — then the MySQL server will handle escaping, even if mysql_set_charset() is not called.

This is ultimately a configuration issue. If you are using a character set like BIG5 or GBK, you really need to be defining and setting DB_CHARSET.

The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if your server's character set is utf8, latin1, and a number of other lesser-used values, this has no practical effect. A large sampling of WordPress sites were checked and none were found to have a vulnerable configuration.

This has been reviewed by the WP security team for inclusion in WordPress 3.6.

Change History (3)

#1 @nacin
5 years ago

  • Owner set to nacin
  • Resolution set to fixed
  • Status changed from new to closed

In 24712:

Always use mysql_real_escape_string(), even when DB_CHARSET is not properly set. fixes #24773.

#2 @nacin
5 years ago

This is a bit too aggressive and can break a database drop-in that connects to a database (and sets $this->dbh) on the fly, based on the dataset being acted upon. In particular, HyperDB.

#3 @nacin
5 years ago

In 24758:

Check that we have a database connection in wpdb::_real_escape(). see #24773.

Note: See TracTickets for help on using tickets.