[wp-trac] [WordPress Trac] #11605: wpdb::_weak_escape() is an alias to addslashes only

WordPress Trac wp-trac at lists.automattic.com
Sun Dec 27 20:36:46 UTC 2009


#11605: wpdb::_weak_escape() is an alias to addslashes only
-----------------------------+----------------------------------------------
 Reporter:  hakre            |        Owner:  ryan    
     Type:  defect (bug)     |       Status:  reopened
 Priority:  normal           |    Milestone:  3.0     
Component:  Security         |      Version:  2.9     
 Severity:  normal           |   Resolution:          
 Keywords:  has-patch close  |  
-----------------------------+----------------------------------------------

Comment(by Denis-de-Bernardy):

 > Escaping in wpdb is abstracted into escape, _escape, _weak_escape and
 _real_escape for very good reasons.

 Err, I'd say that these various functions exist for extremely bad reasons.
 We've banged our head into the table, for years, in order to support
 completely obsolete versions of PHP and MySQL. We end up with workarounds
 and workarounds around the workarounds.

 It's like, heck, escape() should do exactly that: '''escape'''. Not weak,
 or real, or maybe, or maybe not, or anything else; plain, simple escape.
 There should only be a single method and it should do its job properly.

 WP 3.0 probably isn't the right time to clean this mess up, though. Maybe
 when we switch to PHP 5.1 and decide whether we start using PDO?

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/11605#comment:9>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software


More information about the wp-trac mailing list