[wp-trac] [WordPress Trac] #11605: esc_sql does not escape sql, it just adds slashes

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 27 11:06:18 UTC 2009


#11605: esc_sql does not escape sql, it just adds slashes
--------------------------+-------------------------------------------------
 Reporter:  hakre         |        Owner:  ryan   
     Type:  defect (bug)  |       Status:  closed 
 Priority:  normal        |    Milestone:         
Component:  Security      |      Version:         
 Severity:  normal        |   Resolution:  invalid
 Keywords:                |  
--------------------------+-------------------------------------------------
Changes (by nacin):

  * keywords:  has-patch =>
  * status:  new => closed
  * version:  2.9 =>
  * resolution:  => invalid
  * milestone:  3.0 =>


Comment:

 esc_sql() is not an alias for addslashes(). It is an alias for
 $wpdb->escape(), big difference:

 Anyone using a drop-in wpdb replacement would suddenly find their SQL
 unescaped.

 wpdb->escape() supports arrays.

 This change might cause some developers to simply use addslashes() instead
 of esc_sql(). $wpdb->escape() used to be set up to do more than
 addslashes(), and may evolve in the future. (Also take a look at the
 _escape and _real_escape methods.) Thus, definitely not easier to improve
 in the future.

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:1>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list