Handling of escape sequences is muddled and non-compatible
|Reported by:||cdavies||Owned by:|
Wordpress should use SQL-style escape sequences in its SQL statements, and HTML style escape sequences in its output to the browser. Instead, it uses C-style escape sequences in its SQL.
This causes Wordpress not to function correctly with MySQL in NO_BACKSLASH_ESCAPES mode, and makes porting to other DBMS such as SQLite difficult.
The fix for this problem is to remove all instances of addslashes(...) from the code, and rewrite the escape function in wp-db.php.
While I was checking this defect was not a duplicate, I also noticed a security defect reported against an ancient version of wordpress took issue with the way SQL was escaped, the fix for that appears to have regressed.
Change History (9)
- Milestone set to 2.4 (future)
- Priority changed from high to normal
- Severity changed from major to normal