WordPress Plugin Or theme Review issue : Unsafe SQL calls
When making database calls, it’s highly important to protect your code from SQL injection vulnerabilities. You need to update your code to use wpdb calls and prepare() with your queries to protect them.
Please review the following:
- https://developer.wordpress.org/reference/classes/wpdb/#protect-queries-against-sql-injection-attacks
- http://codex.wordpress.org/Data_Validation#Database
- http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/
- http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/
Wrong Code : $sql="SELECT * FROM $wpdb->posts WHERE post_type='post' and post_status='published'";
Right Code :
<?php
$post_type='post';
$post_status='published';
$sql=$wpdb->prepare("SELECT * FROM $wpdb->posts WHERE post_type=%s and post_status=%s", $post_type, $post_status );
?>
%d (integer)
%f (float)
%s (string)
%i (identifier, e.g. table/field names)
Leave a comment
Sign in to post your comment or sign-up if you don't have any account.