[wp-hackers] E-mail address and SQL injection

Jacob wordpress at santosj.name
Thu Oct 25 01:50:08 GMT 2007


No, it in fact only just returns addslashes, as you can see from the 115 
returning addslashes and the comment saying to disable the rest because 
of some problems. It has been disabled for quite some time now. At least 
from my estimate since 2.2.

Jacob Santos

Peter Westwood wrote:
>
> On 24 Oct 2007, at 21:08, Abel Cheung wrote:
>
>> On 10/21/07, Rindisbacher Flurin <flurischt at gmail.com> wrote:
>>>> $wpdb->get_row("SELECT ID FROM $wpdb->users WHERE user_email='$author'
>>>> LIMIT 1");
>>>>
>>>> So this will be safe no matter what $author contains?
>>>
>>> This will be safe because in the line above $author is escaped.
>>> ($wpdb->escape())
>>
>> Yes, safe if charset is iso-8859-1, ascii, utf-8 or other 
>> non-multibyte charset.
>> For multibyte charsets accepting backslash and single quote as the 
>> second
>> byte, it is quite possible to perform SQL injection as escape() 
>> solely relies
>> on add_slashes() but not mysql_real_escape_string(), so inserting a 
>> character
>> where second byte is single quote may do it.
>
> $wpdb->escape uses mysql_real_escape_string() if available
>
> http://trac.wordpress.org/browser/trunk/wp-includes/wp-db.php#L112
>
> and has done for the past 2 years:
>
> http://trac.wordpress.org/changeset/2684
>
> westi


-- 

Jacob Santos

http://www.santosj.name - blog
http://wordpress.svn.dragonu.net/unittest/ - unofficial WP unit test suite.

Also known as darkdragon and santosj on WP trac.



More information about the wp-hackers mailing list