WordPress continual source of security nightmares

I’m going to start this post with an apology. If you’ve been traceback spammed by me, or if you’ve endured other spammer related issues because of my blog I’m sorry.

I’d like to ask the WordPress development community one simple question.

IS IT SO HARD TO PASS EVERY DAMNED STRING TO mysql_real_escape_string ?

Never in my years developing web sites with mysql have I left open the simplest of exploits, the SQL injection exploit, now wordpress isn’t that big a code base, and most of the commenting/posting is passed through the same scripts, but time and time again I’m getting hit with sql injection exploits. The last one, wiped out my previous post, reindexed pages as posts and dumped in hundreds of spam links. Now without proper internet access at the moment this is a serious problem, twice in the last week I’ve had a bot intrude into my personal web space, because of bad code in wordpress, I’ve updated it once, and now I’m told there’s another update. Wouldn’t it be nice if they could get their act together and stop making wordpress users vulnerable to the simplest exploit around!

For wordpress hackers some relevant documentation….

This entry was posted on Monday, March 31st, 2008 at 6:43 am and is filed under Various. You can follow any comments to this entry through the RSS 2.0 feed. You can leave a comment, or trackback from your own site.

5 comments

  1. lol
    March 31, 2008 at 8:49 am

    typical PHP programmers

  2. pabs
    March 31, 2008 at 9:46 am

    WRONG SOLUTION!

    Instead, use prepared statements.

  3. Abel Cheung
    March 31, 2008 at 9:59 am

    No no no, never do that, I _DID_ try changing addslashes() into mysql_real_escape_string() in my own blog. It was a disaster. The reason: after changing to mysql_real_escape_string(), your blog settings, especially those with values spanning multiple lines, will be mangled. That means using mysql_real_escape_string() actually damages your blog setting! It’s disheartening.

    It is mentioned that WP 2.5 uses prepared statement. Not sure if that helps, I haven’t checked.

  4. Karl Lattimer
    March 31, 2008 at 10:03 am

    @abel: Seems to me that wordpress <2.5 is built of rubber bands and duct tape… You’re right it is disheartening…

    @pabs: I didn’t realise prepared statements were being used in 2.5, an upgrade is in order!

  5. James Henstridge
    March 31, 2008 at 11:13 am

    If the APIs used by WordPress seem to be insecure by default, I’d be inclined to blame the API.

    If there is no alternative API, can they wrap the existing API in a way that is secure by default, and use that everywhere?

Leave a comment