Ticket #1394 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

add_slashes() does not escape all database input correctly

Reported by: auroraeosrose Assigned to: anonymous
Priority: normal Milestone:
Component: Security Version: 1.5.1.1
Severity: major Keywords:
Cc:

Description

wp-db.php - the database class - the escape function uses add_slashes to try to escape data for sql use/insertion

This will fail under several methods 1. Mysql in ansi mode 2. NULL, \x00, \n, \r, \, " and \x1a characters not escaped 3. Mysql 4.1 with a different character set or earlier versions when mysql is run in a different character set

mysql_escape_string() has been around since 4.0.3 since wordpress requires 4.1 it shouldn't be a problem

Attachments

db.diff (0.7 kB) - added by auroraeosrose on 05/21/05 06:39:18.

Change History

05/19/05 18:37:50 changed by auroraeosrose

05/19/05 18:37:51 changed by auroraeosrose

  • Patch set to No.

05/21/05 06:39:18 changed by auroraeosrose

  • attachment db.diff added.

07/02/05 23:31:44 changed by matt

  • status changed from new to closed.
  • resolution set to fixed.

(In [2684]) Better escaping from class, fixes #1394