0

I was using a WordPress Plugin That broke on update to 4.3. The error was 

mysql_real_escape_string(): Access denied for user

I found out that the error was because the mysql_real_escape_string is called from within MySQL and needs to be logged in before execution. Solutions were to include a mysql_connect before the mysql_real_escape_string, which solved the problem. But it seems from many of the comments, the mysql_real_escape_string an this solution should not be used for various security reasons. But I am not sure how to change the code to PDO::quote etc as I am not really sure whats going on. The query I am trying to change is 

function custom_permalinks_request($query) {
    global $wpdb;
    global $_CPRegisteredURL;

    // First, search for a matching custom permalink, and if found, generate the corresponding
    // original URL

    $originalUrl = NULL;

    // Get request URI, strip parameters and s
    $url = parse_url(get_bloginfo('url'));
    $url = isset($url['path']) ? $url['path'] : '';
    $request = ltrim(substr($_SERVER['REQUEST_URI'], strlen($url)),'/');
    $request = (($pos=strpos($request, '?')) ? substr($request, 0, $pos) : $request);
    $request_noslash = preg_replace('@/+@','/', trim($request, '/'));
    if ( !$request ) return $query;
    $sql = "SELECT $wpdb->posts.ID, $wpdb->postmeta.meta_value, $wpdb->posts.post_type FROM $wpdb->posts  ".
                "LEFT JOIN $wpdb->postmeta ON ($wpdb->posts.ID = $wpdb->postmeta.post_id) WHERE ".
                "  meta_key = 'custom_permalink' AND ".
                "  meta_value != '' AND ".
                "  ( LOWER(meta_value) = LEFT(LOWER('".mysql_real_escape_string($request_noslash)."'), LENGTH(meta_value)) OR ".
                "    LOWER(meta_value) = LEFT(LOWER('".mysql_real_escape_string($request_noslash."/")."'), LENGTH(meta_value)) ) ".
                "ORDER BY LENGTH(meta_value) DESC LIMIT 1";
    $posts = $wpdb->get_results($sql);
return $query;
}

Is there an easy way to replace the mysql_real_escape_string or better way to do this? I am not sure this question is similar, but I dont see how to implement the answers.

Community
  • 1
  • 1
Jon
  • 6,437
  • 8
  • 43
  • 63
  • If properly used mysql_real_escape_string is pretty secure, although now deprecated. There are complex tricks that can be done to breach it. Problem here is that I suspect your connection though the $wpdb object is not identical to the one used by mysql_real_escape_string. The connection is important to escape the data correctly, otherwise you could just use mysql_escape_string which doesn't require a connection but which is less secure. – Kickstart Sep 07 '15 at 13:58
  • this question made it seem pretty bad - http://stackoverflow.com/questions/18378976/php-mysql-real-escape-string-access-denied-for-user-www-datalocalhost But maybe thats becaise it is PDO, which I dont think wordpress is? And adding a mysql_connect with all the data to the function, is safe enough? – Jon Sep 07 '15 at 14:39
  • Problem is that it is meant to be the same link as is being used by the query, not just a random link. Mysql_real_escape_string escapes things that are specific to that connection (eg, the character set used), hence using a different link can result in things being escaped incorrectly. If you are using pdo then you can pass parameters and do not concatenate in escaped strings. – Kickstart Sep 07 '15 at 15:32
  • mySQL is not my strength, but thanks for the help. I understand it a bit more. – Jon Sep 07 '15 at 16:56

0 Answers0