id summary reporter owner description type status priority milestone component version severity resolution keywords cc focuses 24773 Improper DB configuration is a problem for esoteric server character sets nacin nacin "If DB_CHARSET is empty or undefined, we do not call mysql_set_charset(), and in turn, mysql_real_escape_string() is avoided. We should instead always call mysql_real_escape_string(). As long as we have a DB connection — and upon construction of wpdb, we will — then the MySQL server will handle escaping, even if mysql_set_charset() is not called. This is ultimately a configuration issue. If you are using a character set like BIG5 or GBK, you really need to be defining and setting DB_CHARSET. The default value for DB_CHARSET in wp-config-sample.php 'utf8'. Also, if your server's character set is utf8, latin1, and a number of other lesser-used values, this has no practical effect. A large sampling of WordPress sites were checked and none were found to have a vulnerable configuration. This has been reviewed by the WP security team for inclusion in WordPress 3.6." defect (bug) closed normal 3.6 Database normal fixed