Improper DB configuration is a problem for esoteric server character sets
|Reported by:||nacin||Owned by:||nacin|
If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(), and in turn, mysql_real_escape_string() is avoided.
We should instead always call mysql_real_escape_string(). As long as we have a DB connection — and upon construction of wpdb, we will — then the MySQL server will handle escaping, even if mysql_set_charset() is not called.
This is ultimately a configuration issue. If you are using a character set like BIG5 or GBK, you really need to be defining and setting DB_CHARSET.
The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if your server's character set is utf8, latin1, and a number of other lesser-used values, this has no practical effect. A large sampling of WordPress sites were checked and none were found to have a vulnerable configuration.
This has been reviewed by the WP security team for inclusion in WordPress 3.6.