Ticket #3243 (assigned task (blessed))

Opened 2 years ago

Last modified 11 months ago

Usermeta functions assume data to be pre-escaped

Reported by: markjaquith Assigned to: markjaquith (accepted)
Priority: normal Milestone: 2.9
Component: Administration Version: 2.1
Severity: normal Keywords: hunt-irrelevant
Cc:

Description (Last modified by markjaquith)

User meta functions assume that data passed to them is already escaped ( $wpdb->escape()

Post meta functions assume data is not already escaped.

I think we should move to a standardized way of doing this, and I think the standard should be to expect unescaped data.

  1. It is safer.
    • Worst case scenario with assuming data to be unescaped is that it gets double slashed
    • Worst case scenario with assuming data to be escaped is SQL injection vulnerability
  2. Post meta has been doing it this way, for a longer time, so less code would have to change
  3. It would allow code consolidation, in terms of handling arrays/objects/strings, serialization, and escape.
  4. Currently, things like First Name and Last Name are passed through filters pre-slashed, which means that filters have to work around this.

Setting a milestone of 2.2

We can do this in trunk right after 2.1 ships, so that plugin authors will have 4 months to adapt.

Change History

10/14/06 05:45:08 changed by markjaquith

  • status changed from new to assigned.
  • description changed.

01/25/07 22:16:01 changed by markjaquith

Sink or swim time for this issue. I still think we should do it. Thoughts?

03/27/07 22:42:35 changed by foolswisdom

  • milestone changed from 2.2 to 2.3.

08/23/07 19:10:27 changed by Nazgul

  • milestone changed from 2.3 (trunk) to 2.4 (future).

12/28/07 21:01:02 changed by darkdragon

  • keywords set to hunt-irrelevant.

This might have to do with the use prepare method. A lot of work was done there and would solve this problem.

02/20/08 17:28:55 changed by ryan

  • milestone changed from 2.5 to 2.6.