View Issue Details

IDProjectCategoryView StatusLast Update
0001031Main CAcert WebsiteAudit issuespublic2018-11-18 13:46
Reporterclopez Assigned ToPatrick  
Status fix availableResolutionopen 
PlatformDefaultOSanyOS Versionany
Summary0001031: Disable use of insecure function mysql_escape_string()
Descriptionmysql_escape_string() is insecure


And its used on core parts like password user logging:

$ grep -rl mysql_escape_string .

Theoretically this can be exploited to perform a SQL Injection attack.

Please replace all mysql_escape_string() occurrences with the secure mysql_real_escape_string(

You can do this simply executing this command on the topdir:

grep -rl mysql_escape_string . | xargs sed -i "s/mysql_escape_string/mysql_real_escape_string/g"
TagsNo tags attached.
Reviewed by
Test Instructions


related to 0001162 fix availableINOPIAE calcutate (the passwords) hash in php instead of in mysql -> \\ 
related to 0001260 needs workBenBE Make the source compatible with recent PHP versions 
related to 0001442 needs review & testingGuKKDevel Rewrite code to use ext/mysqli API (or PDO_MySQL) instead of ext/mysql 
related to 0000156 needs workbluec magic_quotes_gpc vs. mysql_escape_string() 



2015-02-27 22:06

updater   ~0005336

I quickly wrote the fix.


2018-11-18 13:46

administrator   ~0005684

Note that 0001442 also replaces mysql_real_escape_string, by mysqli_real_escape_string.

So, once bug-1442 is installed this issue is obsolete.

Issue History

Date Modified Username Field Change
2012-04-09 03:12 clopez New Issue
2013-05-15 05:59 INOPIAE Relationship added related to 0001162
2013-11-12 21:25 INOPIAE Relationship added related to 0000156
2014-03-19 10:54 BenBE Relationship added related to 0001260
2015-02-27 22:04 Patrick Assigned To => Patrick
2015-02-27 22:06 Patrick Note Added: 0005336
2015-03-10 21:22 INOPIAE Status new => fix available
2018-11-18 13:45 Ted Relationship added related to 0001442
2018-11-18 13:46 Ted Note Added: 0005684