WordPress.org

Support

Support » Plugins and Hacks » The escape method in WordPress DB Class – possible SQL injection

The escape method in WordPress DB Class – possible SQL injection

  • I’ve installed WordPress sometimes ago and check some security issues.

    What i’ve seen its possible SQL injection, because escaping method in wpdb use simple addslashes. If You want read something about this possible injections type this in Google.

    function escape($string) {
    	return addslashes( $string );
    	// Disable rest for now, causing problems
    	/*
    	if( !$this->dbh || version_compare( phpversion(), '4.3.0' ) == '-1' )
    		return mysql_escape_string( $string );
    	else
    		return mysql_real_escape_string( $string, $this->dbh );
    	*/
    }

    what I suggest to do is below:

    function escape($string) {
    	if ( $this->dbh && function_exists( 'mysql_real_escape_string' ) )
    		return mysql_real_escape_string( $string, $this->dbh );
    	elseif ( function_exists( 'mysql_escape_string' ) )
    		return mysql_escape_string( $string );
    	else
    		return addslashes( $string );
    }

    Greetings 😉

  • The topic ‘The escape method in WordPress DB Class – possible SQL injection’ is closed to new replies.
Skip to toolbar