[wp-trac] Re: [WordPress Trac] #5455: Charset SQL Injection
Vulnerability
WordPress Trac
wp-trac at lists.automattic.com
Fri Dec 14 08:30:18 GMT 2007
#5455: Charset SQL Injection Vulnerability
-----------------------+----------------------------------------------------
Reporter: pishmishy | Owner: pishmishy
Type: defect | Status: assigned
Priority: normal | Milestone: 2.5
Component: Security | Version: 2.4
Severity: normal | Resolution:
Keywords: |
-----------------------+----------------------------------------------------
Comment (by pishmishy):
Replying to [comment:9 ryan]:
> There are both mysql_set_charset() and mysqli_set_charset flavors, I
believe. I think you have to have fairly recent versions of MySQL and PHP
for these things to work as they should. set_charset() is a necessity for
us.
Woops so there is. How did that sneak in there.
> It looks like drupal uses mysql_real_escape_string() and SET NAMES
without using mysql_set_charset(). I wonder how they get away with that.
I think they upgrade their tables so that they are in UTF-8. Maybe they
force UTF-8 everywhere?
I'm not sure but I'll take a look. I'm not sure that the character set of
the tables effects the problem but my knowledge starts to run out at this
point :-)
--
Ticket URL: <http://trac.wordpress.org/ticket/5455#comment:10>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list