jump to navigation

Fixing _weak_escape errors in WordPress 2.8 May 29, 2009

Posted by evilzenscientist in : evilzenscientist , trackback

I’m hoping this saves someone some searching.

I upgraded a couple of blogs to WordPress 2.8 beta early this morning – and I had problems with a single plugin – Audit Trail by John Godley.

The symptom was that on login you got a blank screen and Apache/PHP threw this:

[Fri May 29 11:59:05 2009] [error] [client 10.0.0.1] PHP Fatal error:  Call to undefined method AT_Auditor::_weak_escape() in /www/<foo>/wp-includes/wp-db.php on line 487, referer: http://<foo>/wp-login.php?redirect_to=/

The plugin itself is nicely written – and as part of the safety mechanism it uses wpdb::escape to explode out anything before injecting to the database.

One change in WP 2.8 looks like it affects this – login redirects are now urlencoded by default – http://core.trac.wordpress.org/ticket/9817 – and that looks like it’s clashing with the line above.

The temporary fix for me is to modify part of the plugin to not call into wp::db – and instead assume that the url has already been exploded out.

wp-content/plugins/audit-trail/models/audit.php

line 173

//               $operation = wpdb::escape ($operation);

The risk for my implementation seems small – I’m only using audit-trail to track logins and logouts.

So if you are hunting down some generic <function>::_weak_escape errors in WordPress 2.8 beta – take a trawl through your plugins and see if there is a wpdb::escape call. There may be some relatively low impact fixes out there.

Comments»

1. ACTiVEiNGREDiENT - June 15, 2009

Perhaps a better temp fix is to use the object method call instead of the class method call:

wp-content/plugins/audit-trail/models/audit.php

line 173

$operation = wpdb->escape ($operation);

I believe John (the plugin author) is fixing all of his plugins in light of the changes made in 2.8

2. ACTiVEiNGREDiENT - June 15, 2009

Whoops, should be:

$operation = $wpdb->escape ($operation);

3. UnDeprived » Wordpress 2.8 hiccups so far… - June 16, 2009

[...] out all the wp::db escape() which is less secure, but it will fixes your problem.  According to evilzenscientist, the wp::db escape() secures data injections.  Hey, quick fix until someone writes a new FAQ [...]

4. evilzenscientist - June 18, 2009

Yes – it’s fixed in an updated plugin now.