Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wordpress support potentially misleading #53

Open
kentfredric opened this issue Nov 22, 2014 · 0 comments
Open

Wordpress support potentially misleading #53

kentfredric opened this issue Nov 22, 2014 · 0 comments
Assignees
@petdance

Comments

@kentfredric
Copy link

http://bobby-tables.com/php.html

I should point out, that the Wordpress DB "parameter binding" is not only sprintf like, but is in fact, implemented in terms of sprintf and the queries are interpolated and sent as single queries to the database after throwing mysql_real_escape_string at them ( and a bunch of other regular expressions ).

As such, I don't believe calling it parameter binding is truthful in anyway, and there are potential security leaks hiding in wordpresses custom escaping logic.
@petdance petdance self-assigned this Dec 27, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@petdance petdance

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petdance @kentfredric