Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:115492 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 17232 invoked from network); 19 Jul 2021 13:54:20 -0000 Received: from unknown (HELO php-smtp4.php.net) (45.112.84.5) by pb1.pair.com with SMTP; 19 Jul 2021 13:54:20 -0000 Received: from php-smtp4.php.net (localhost [127.0.0.1]) by php-smtp4.php.net (Postfix) with ESMTP id 5B9921804F3 for ; Mon, 19 Jul 2021 07:19:20 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp4.php.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,HTML_MESSAGE,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 X-Spam-Virus: No X-Envelope-From: Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by php-smtp4.php.net (Postfix) with ESMTPS for ; Mon, 19 Jul 2021 07:19:19 -0700 (PDT) Received: by mail-lj1-f174.google.com with SMTP id u14so26628561ljh.0 for ; Mon, 19 Jul 2021 07:19:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=craigfrancis.co.uk; s=default; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ozC0ud9bGz5j4jFY9zSwtzITt4ZxLrwmk6ot58J/D7c=; b=Vfwr6MCJefV0xlsbHO71asa2w4J0Zqlm4HNg8DGokc4Q08IirqkBzuerNA5pTRnBpu UyG9t2wXGZiOYb6qQGiqnLRZL7gr9k9fm+VRccirU8YJB79A5RHo7N2qmvL+ew2z5ULg 2oLtaLQCZd8GVXB0XfWI+TG+qRgGsA180+Tfg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ozC0ud9bGz5j4jFY9zSwtzITt4ZxLrwmk6ot58J/D7c=; b=C6uF+6T0iSu9+jLu9VfzjO8gM4Ab4eM/LzNKg2erGCLIRPU32LzDLBbo6UlEAJo7Cn SXYieQMgu1HrEuJuVMvUzDS66Qj3rNOqorgAE43o3chnepnHBVcVCbHJvE/Sv69zBikz K103dpS7U7wP8NxWfhcpJxbBgmtPu5tp5xMw5wRXcjB9+DHmpByDrHoMLBLw7lMryjPS ETvDLTRdxE8L0VT3glMpZ5qg+OtfFLFXEa+EH5PQy4orzs2Oj42HXwqN0RmpJlecAZ3c bmxxR670cpmTHEoDrS7saEtzOcwG9qMTxsK2dLzQQuxCZmq9rwBD0cw9VcXYpCbn/Xwf ptnQ== X-Gm-Message-State: AOAM531LDEvi2eUDnoLSLXb4V8KxLRIIFv/zbyBPSfueq835mRn4dkul wdUbkNDNygjlUUmG2EjmMDz4dQEaYWMYza2xyOujhw== X-Google-Smtp-Source: ABdhPJyAAApHIUb/RFxc3t8i16F0jq83sHuJRgbZff/kuBEhYdiouTGfsRDLy0KoRt5JrLzl28x42pVYyFFy2MzsDcw= X-Received: by 2002:a2e:3506:: with SMTP id z6mr23501519ljz.238.1626704358173; Mon, 19 Jul 2021 07:19:18 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Mon, 19 Jul 2021 15:19:07 +0100 Message-ID: To: Guilliam Xavier Cc: Hans Henrik Bergan , PHP internals Content-Type: multipart/alternative; boundary="0000000000006c800505c77a9f7e" Subject: Re: [PHP-DEV] [RFC] [VOTE] is_literal From: craig@craigfrancis.co.uk (Craig Francis) --0000000000006c800505c77a9f7e Content-Type: text/plain; charset="UTF-8" On Mon, 19 Jul 2021 at 12:51, Guilliam Xavier wrote: > there was *indeed* an SQL injection vulnerability in that code. Yep, you're right, there was an issue in there as well. esc_like() also needs to use esc_sql() for the value to be added directly to the SQL string. By changing to $wpdb->prepare(), assuming a literal string for the $query argument, then esc_sql() would have been used automatically (technically escape_by_ref). Shall we just put it down as another example of escaping going wrong, why Parameterised Queries work, and how Taint Checking isn't really a solution (as the value was escaped, ish). And if you want another fun one, not that anyone should be using inline JavaScript, but esc_js() doesen't escape single quotes: $variable = '\' onmouseover=alert(1) a=\''; $html = "Link"; https://developer.wordpress.com/themes/escaping/#javascript Craig --0000000000006c800505c77a9f7e--