Title: Encoding Issue causing PHP Error and SQL Injection Last modified: August 31, 2016 --- # Encoding Issue causing PHP Error and SQL Injection * Resolved [gnowland](https://wordpress.org/support/users/gnowland/) * (@gnowland) * [9 years, 11 months ago](https://wordpress.org/support/topic/encoding-issue-causing-php-error-and-sql-injection/) * Certain search strings are not being encoded/decoded by the plugin correctly and are thus: * 1. Causing the WP_Query SQL string to break, resulting in a WordPress Database error, and 2. Exposing a SQL injection vulnerability. It is currently possible to use certain character combinations to inject a single apostrophe (see below). Ack! * An example search parameter that causes this is: `/?s=A+%5C%27` * Resulting in error: * ``` WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '%')) OR (((m.meta_value LIKE '%A%') AND (m.meta_value LIKE '%%')) OR (m.meta_va' at line 1] SELECT DISTINCT SQL_CALC_FOUND_ROWS wp_posts.* FROM wp_posts LEFT JOIN wp_term_relationships AS trel ON (wp_posts.ID = trel.object_id) LEFT JOIN wp_term_taxonomy AS ttax ON ( ( ttax.taxonomy = 'category' OR ttax.taxonomy = 'post_format' OR ttax.taxonomy = 'action-group' OR ttax.taxonomy = 'product_type' OR ttax.taxonomy = 'product_cat' OR ttax.taxonomy = 'product_tag' OR ttax.taxonomy = 'product_shipping_class' OR ttax.taxonomy = 'tribe_events_cat' OR ttax.taxonomy = 'issue_date' OR ttax.taxonomy = 'project_type' OR ttax.taxonomy = 'project_site' ) AND trel.term_taxonomy_id = ttax.term_taxonomy_id) LEFT JOIN wp_terms AS tter ON (ttax.term_id = tter.term_id) LEFT JOIN wp_postmeta AS m ON (wp_posts.ID = m.post_id) LEFT JOIN wp_users AS u ON (wp_posts.post_author = u.ID) WHERE 1=1 AND ( ( (((((wp_posts.post_title LIKE '%A%') OR (wp_posts.post_content LIKE '%A%')) AND ((wp_posts.post_title LIKE '%%') OR (wp_posts.post_content LIKE '%%'))) OR (((tter.slug LIKE '%a%') AND (tter.slug LIKE '%%')) OR (tter.slug LIKE '%a%')) OR (((ttax.description LIKE '%A%') AND (ttax.description LIKE '%%')) OR (ttax.description LIKE '%A \\'%')) OR (((m.meta_value LIKE '%A%') AND (m.meta_value LIKE '%%')) OR (m.meta_value LIKE '%A \\'%')) OR (((wp_posts.post_excerpt LIKE '%A%') AND (wp_posts.post_excerpt LIKE '%%')) OR (wp_posts.post_excerpt LIKE '%A \\'%')) OR ((u.display_name LIKE '%A%') OR (u.display_name LIKE '%%') OR (u.display_name LIKE '%A \\'%')) )) AND wp_posts.post_type IN ('post', 'page', 'attachment', 'nf_sub', 'product', 'wbeexportfile', 'tribe_events', 'tribe_venue', 'programs', 'resources', 'preservationinprint', 'projects') AND (wp_posts.post_status = 'publish' OR wp_posts.post_status = 'acf-disabled' OR wp_posts.post_author = 1 AND wp_posts.post_status = 'private')) AND post_type != 'revision') AND post_status != 'future' ORDER BY (CASE WHEN wp_posts.post_title LIKE '%A \\\\\'%' THEN 1 WHEN wp_posts.post_title LIKE '%\\\\%' THEN 2 WHEN wp_posts.post_excerpt LIKE '%A \\\\\'%' THEN 4 WHEN wp_posts.post_content LIKE '%A \\\\\'%' THEN 5 ELSE 6 END), wp_posts.post_date DESC LIMIT 0, 12 ``` * I have to disable the plugin and urge everyone else to disable this plugin until the vulnerability has been fixed. Please contact me when this has been patched. * Thank you! * [https://wordpress.org/plugins/search-everything/](https://wordpress.org/plugins/search-everything/) Viewing 2 replies - 1 through 2 (of 2 total) * Thread Starter [gnowland](https://wordpress.org/support/users/gnowland/) * (@gnowland) * [9 years, 11 months ago](https://wordpress.org/support/topic/encoding-issue-causing-php-error-and-sql-injection/#post-7457428) * This has been fixed by the v.8.1.6 update. Thanks Tyrel! * [Blobfolio](https://wordpress.org/support/users/blobfolio/) * (@blobfolio) * [9 years, 5 months ago](https://wordpress.org/support/topic/encoding-issue-causing-php-error-and-sql-injection/#post-8499469) * Unfortunately this is still an active issue in 8.1.6. Incorrect escape functions are used throughout the plugin and so fail to properly sanitize data across different server configurations, charsets, etc. * `addslashes()` and equivalent functions are _not_ appropriate for MySQL string data. See e.g. [http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string](http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string) * WordPress provides `esc_sql()` and `$wpdb->esc_like()` functions for this purpose; these must be used instead. Additionally, these filters should not be run again and again as they are currently or else values will end up looking like \\\\\\\’ s. Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Encoding Issue causing PHP Error and SQL Injection’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/search-everything_242529.svg) * [Search Everything](https://wordpress.org/plugins/search-everything/) * [Frequently Asked Questions](https://wordpress.org/plugins/search-everything/#faq) * [Support Threads](https://wordpress.org/support/plugin/search-everything/) * [Active Topics](https://wordpress.org/support/plugin/search-everything/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/search-everything/unresolved/) * [Reviews](https://wordpress.org/support/plugin/search-everything/reviews/) ## Tags * [decoding](https://wordpress.org/support/topic-tag/decoding/) * [encoding](https://wordpress.org/support/topic-tag/encoding/) * [sql](https://wordpress.org/support/topic-tag/sql/) * [sql injection](https://wordpress.org/support/topic-tag/sql-injection/) * [WordPress database error](https://wordpress.org/support/topic-tag/wordpress-database-error/) * 2 replies * 2 participants * Last reply from: [Blobfolio](https://wordpress.org/support/users/blobfolio/) * Last activity: [9 years, 5 months ago](https://wordpress.org/support/topic/encoding-issue-causing-php-error-and-sql-injection/#post-8499469) * Status: resolved