WordPress plugins silently discard data
-
-
Filed under: are you ready for Y2K18?
-
MySQL databases, not in STRICT mode, will truncate values if they’re over the max character count for a particular column and will insert the new record with a warning. When in STRICT mode, MySQL will not accept the record and will return an error.
This can (obviously) bite you in any other application that uses MySQL.
Fun fact - WordPress introduced this truncation when the comments were (ab)used to submit properly formed but excessively long HTML that gets silently truncated at a critical point to become an XSS vector.Another nasty trap is that MySQL without STRICT will silently truncate your strings if it detects an encoding problem. Combine that with its castrated
utf8charset that only supports BMP/three bytes per character, and watch how typing an emoji destroys everything that follows.
-
For years, plugin developers have assumed that IP addresses were always in the standard IPv4, 15-character format ... However, IPv6 has a much longer 39-character format that looks like this: 2001:0db8:85a3:0000:0000:8a2e:0370:7334 [and so Wordpress discards the data because IPv6 addresses are larger than expected].
TR
is storing strongly-typed data (like IP addresses) as strings.
-
@bugmenot MySQL didn't get actual support for IPv6 to not be stringly typed until recently.
-
@arantor I should have figured that MySQL would have lacked something fundamental that Postgres has supported since 2003. IPv6 has only been formalized since 1998... It's still brand new!
-
@bugmenot and yet listening to ISPs, you'd think it was new.
