[wp-hackers] WordPress Charset SQL Injection Vulnerability

James Davis james at freecharity.org.uk
Wed Dec 12 09:42:29 GMT 2007

Jeremy Visser wrote:

> This wouldn't occur if WP was using mysql_real_escape_string(), am I
> correct?

Yes but there's a catch. mysql_real_escape_string() doesn't take any
notice of SET NAMES or SET CHARACTER SET statements that have been
issued to change the character set of the mysql session. It continues to
use the original character until mysql_real_escape_string()
(PHP/mysqli's set_charset()) is called.

Unfortunatly mysqli's set_charset() requires PHP >= 5.0.5 and presumably
the presence of MySQL's mysql_real_escape_string() which requires MySQL
>= 5.0.7. So using set_charset() in WordPress may prove problematic. I
presume these were the problems referred to in the commented out code in

Potential alternatives I've thought about are to write an escaping
function similar to MySQL's escape_string_for_mysql() (mysys/charset.c
in the MySQL source), or, detect the environment which allows the
problem to occur and prompt the user to reconfigure MySQL so that the
client connection starts in the correct character set in the first
place. That second option may not be available to users of hosting
services. I'm sure other alternatives may exist.



http://www.freecharity.org.uk/ - Free IT services for charities
http://www.freecharity.org.uk/wiki/ - The VCSWiki

More information about the wp-hackers mailing list