[wp-hackers] WordPress Charset SQL Injection Vulnerability

Austin Matzko if.website at gmail.com
Sat Dec 15 23:03:34 GMT 2007

On Dec 15, 2007 5:26 PM, Lloyd Budd <lloydomattic at gmail.com> wrote:
> On Dec 15, 2007 1:09 PM, Robin Adrianse <robin.adr at gmail.com> wrote:
> > I've never understood why WordPress displays detailed SQL errors in an
> > environment that is almost definitely production. Maybe it would be more
> > prudent to be able to disable these? If something got changed around I
> > wouldn't want my visitors to be seeing paragraphs of SQL errors everywhere.
> Hi Robin,
> Can you provide some specific examples of these? (bug #s) Generally,
> that isn't the case, and my experience has been that they have been
> fixed when identified.

I think he may be talking about suppressing DB errors in general.  For
example, currently WP calls the wpdb show_errors method in several
places.  It seems to me that the show_errors object variable should be
set to false, and the show_errors method should be called only if
WP_DEBUG is set to true.  Were that the case, the error mentioned in
this thread would not show.

More information about the wp-hackers mailing list