WordPress Plugin Or theme Review issue : Unsafe SQL calls

When making database calls, it’s highly important to protect your code from SQL injection vulnerabilities. You need to update your code to use wpdb calls and prepare() with your queries to protect them.

Please review the following:

Wrong  Code : $sql="SELECT * FROM $wpdb->posts WHERE post_type='post' and post_status='published'";
Right Code :
<?php
$post_type='post';
$post_status='published';
$sql=$wpdb->prepare("SELECT * FROM $wpdb->posts WHERE post_type=%s and post_status=%s", $post_type, $post_status  );
 ?>
%d (integer)
%f (float)
%s (string)
%i (identifier, e.g. table/field names)

Leave a comment

Sign in to post your comment or sign-up if you don't have any account.