Cool research. I like how you "connect-the-dots" from the benign-looking MySQL's behaviour to the bad code in Wordpress. This reminds me of <a href="http://www.suspekt.org/2008/08/18/mysql-and-sql-column-truncation-vulnerabilities/" rel="nofollow">http://www.suspekt.org/2008/08/18/mysql-and-sql-column-trunc...</a>.<p>I'm surprised that the fix in Wordpress wasn't explicitly marking fields that need to be serialized/unserialized, instead of second-guessing based on the broken promise by MySQL.<p>> MySQL replaces characters it doesn’t recognize (for the given character set), with a placeholder. MySQL will sometimes replace byte sequences with “?” or “�” (U+FFFD). Such replacements would not be harmful.<p>This is so wrong. A database must never change any data that it's asked to stored. Wordpress, and other applications, always make that assumption, and when it isn't true anymore all hell breaks loose.<p>PS: it blows my mind that it looks like strpos in PHP could return either boolean or integer [1].<p>[1] <a href="http://core.trac.wordpress.org/browser/tags/3.6.1/wp-includes/functions.php#L0" rel="nofollow">http://core.trac.wordpress.org/browser/tags/3.6.1/wp-include...</a>