WordPress.org

Make WordPress Core

Opened 8 years ago

Closed 7 years ago

#2490 closed defect (bug) (worksforme)

update_usermeta does not escape meta data

Reported by: kccricket Owned by:
Milestone: Priority: normal
Severity: normal Version: 2.0.1
Component: General Keywords:
Focuses: Cc:

Description

update_usermeta does not escape any of the data passed to it.

I ran into this issue while attempting to pass an array that contains a value that contains an apostrophe to update_usermeta. This raises a WPDB error. The array is serialized by the function, but the apostrophes are not properly escaped, malforming the SQL query.

If the data in the array is escaped before being passed to update_usermeta, the query completes successfully. However, when the array is retrieved with get_usermeta, it is not unserialized and is returned as a string instead of an array.

update_option works as expected and does not exhibit this behavior.

Attachments (1)

bugtest.php (3.8 KB) - added by kccricket 8 years ago.
Testcase. Adds "Bug Test" and "Bug Test 2" submenus to the Plugins top level menu.

Download all attachments as: .zip

Change History (2)

kccricket8 years ago

Testcase. Adds "Bug Test" and "Bug Test 2" submenus to the Plugins top level menu.

comment:1 Nazgul7 years ago

  • Resolution set to worksforme
  • Status changed from new to closed

I haven't tested this, but a look at the code suggests this has been fixed in the meantime.

Note: See TracTickets for help on using tickets.