Unsafe SQL calls
WordPress Plugin Or theme Review issue : Unsafe SQL calls When making database calls, it's highly important to protect your code from SQL injection vulnerabilities. You need to update your code to use wpdb calls and prepare() with your queries to protect them. Please review the following: https://developer.wordpress.org/reference/classes/wpdb/#protect-queries-against-sql-injection-attacks http://codex.wordpress.org/Data_Validation#Database http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/ http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/ Wrong Code : $sql="SELECT * FROM $wpdb->posts WHERE post_type='post' and post_status='published'"; Right Code : <?php $post_type='post'; $post_status='published'; $sql=$wpdb->prepare("SELECT * FROM $wpdb->posts WHERE post_type=%s and post_status=%s", $post_type, $post_status ); ?> %d (integer) %f (float) %s (string) %i (identifier, e.g. table/field names)
- Date: December 29, 2023
- Author: Aktar Zaman
- Category: Uncategorized, WordPress Plugin Review
Recent Comments