Fixing _weak_escape errors in WordPress 2.8

I’m hoping this saves someone some searching.

I upgraded a couple of blogs to WordPress 2.8 beta early this morning – and I had problems with a single plugin – Audit Trail by John Godley.

The symptom was that on login you got a blank screen and Apache/PHP threw this:

[Fri May 29 11:59:05 2009] [error] [client 10.0.0.1] PHP Fatal error:  Call to undefined method AT_Auditor::_weak_escape() in /www/<foo>/wp-includes/wp-db.php on line 487, referer: http://<foo>/wp-login.php?redirect_to=/

The plugin itself is nicely written – and as part of the safety mechanism it uses wpdb::escape to explode out anything before injecting to the database.

One change in WP 2.8 looks like it affects this – login redirects are now urlencoded by default – http://core.trac.wordpress.org/ticket/9817 – and that looks like it’s clashing with the line above.

The temporary fix for me is to modify part of the plugin to not call into wp::db – and instead assume that the url has already been exploded out.

wp-content/plugins/audit-trail/models/audit.php

line 173

//               $operation = wpdb::escape ($operation);

The risk for my implementation seems small – I’m only using audit-trail to track logins and logouts.

So if you are hunting down some generic <function>::_weak_escape errors in WordPress 2.8 beta – take a trawl through your plugins and see if there is a wpdb::escape call. There may be some relatively low impact fixes out there.

Leave a Reply

Your email address will not be published. Required fields are marked *