[wp-hackers] E-mail address and SQL injection

Peter Westwood peter.westwood at ftwr.co.uk
Wed Oct 24 20:14:12 GMT 2007

On 24 Oct 2007, at 21:08, Abel Cheung wrote:

> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE  
>>> user_email='$author'
>>> LIMIT 1");
>>> So this will be safe no matter what $author contains?
>> This will be safe because in the line above $author is escaped.
>> ($wpdb->escape())
> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other non- 
> multibyte charset.
> For multibyte charsets accepting backslash and single quote as the  
> second
> byte, it is quite possible to perform SQL injection as escape()  
> solely relies
> on add_slashes() but not mysql_real_escape_string(), so inserting a  
> character
> where second byte is single quote may do it.

$wpdb->escape uses mysql_real_escape_string() if available


and has done for the past 2 years:


Peter Westwood <peter.westwood at ftwr.co.uk>
Blog: http://blog.ftwr.co.uk/
WordPress Plugins: http://blog.ftwr.co.uk/wordpress/

More information about the wp-hackers mailing list