[wp-hackers] WordPress Charset SQL Injection Vulnerability

Abel Cheung abelcheung at gmail.com
Thu Dec 13 07:41:49 GMT 2007

On Dec 12, 2007 5:42 PM, James Davis <james at freecharity.org.uk> wrote:
> > This wouldn't occur if WP was using mysql_real_escape_string(), am I
> > correct?
> Yes but there's a catch. mysql_real_escape_string() doesn't take any
> notice of SET NAMES or SET CHARACTER SET statements that have been
> issued to change the character set of the mysql session. It continues to
> use the original character until mysql_real_escape_string()
> (PHP/mysqli's set_charset()) is called.

There is also a second catch: original content may not be all valid data
within a certain encoding. In my example 0xB327 is not a valid character
in either Big5 or GBK. Usually in such cases the first byte is ignored, then
viola, the second byte becomes a standalone single quote, and is escaped
with backslash.


> Unfortunatly mysqli's set_charset() requires PHP >= 5.0.5 and presumably
> the presence of MySQL's mysql_real_escape_string() which requires MySQL
> >= 5.0.7. So using set_charset() in WordPress may prove problematic. I
> presume these were the problems referred to in the commented out code in
> escape().
> Potential alternatives I've thought about are to write an escaping
> function similar to MySQL's escape_string_for_mysql() (mysys/charset.c
> in the MySQL source), or, detect the environment which allows the
> problem to occur and prompt the user to reconfigure MySQL so that the
> client connection starts in the correct character set in the first
> place. That second option may not be available to users of hosting
> services. I'm sure other alternatives may exist.
> http://trac.wordpress.org/ticket/5455
> James
> --
> http://www.freecharity.org.uk/ - Free IT services for charities
> http://www.freecharity.org.uk/wiki/ - The VCSWiki
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

Abel Cheung   (GPG Key: 0xC67186FF)
Key fingerprint: 671C C7AE EFB5 110C D6D1  41EE 4152 E1F1 C671 86FF
* My own cave: http://me.abelcheung.org/
* Opensource Application Knowledge Assoc. - http://oaka.org/

More information about the wp-hackers mailing list