Menu
I'm currently using the following query to get values in mysql using php:
The code is working, but now I'm worried about sql injections.
How to prevent SQL injection?
<?php include_once("wp-config.php");
@$gameid = $_GET['gameid'];
global $wpdb;
$fivesdrafts = $wpdb->get_results(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = ".$gameid."
"
);
?>
is this safe?
<?php include_once("wp-config.php");
@$gameid = mysql_real_escape_string($_GET['gameid']);
global $wpdb;
$fivesdrafts = $wpdb->get_results(
$wpdb->prepare(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = %d", ".$gameid.")
);
?>
938
SQL Injection in WordPress. You are secure from any SQL injection vulnerability if you are using up-to-date WordPress core files. However, when you use third-party themes and plugins, your entire application is at a risk. Your WordPress site is only as strong as its weakest link.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
SQL injections typically fall under three categories: In-band SQLi (Classic), Inferential SQLi (Blind) and Out-of-band SQLi. You can classify SQL injections types based on the methods they use to access backend data and their damage potential.
From the WordPress Codex on protecting queries against SQL Injection attacks:
<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>
If you scroll down a bit farther, there are examples.
You should also read the database validation docs for a more thorough overview of SQL escaping in WordPress.
118
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
