barway
Reputation: 75
How to prevent SQL Injection in Wordpress?
I'm currently using the following query to get values in mysql using php:
The code is working, but now I'm worried about sql injections.
How to prevent SQL injection?
<?php include_once("wp-config.php");
@$gameid = $_GET['gameid'];
global $wpdb;
$fivesdrafts = $wpdb->get_results(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = ".$gameid."
"
);
?>
is this safe?
<?php include_once("wp-config.php");
@$gameid = mysql_real_escape_string($_GET['gameid']);
global $wpdb;
$fivesdrafts = $wpdb->get_results(
$wpdb->prepare(
"
SELECT ID
FROM $wpdb->posts
WHERE ID = %d", ".$gameid.")
);
?>
Upvotes: 7
Views: 20681
Answers (1)
rnevius
Reputation: 27092
From the WordPress Codex on protecting queries against SQL Injection attacks:
<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>
If you scroll down a bit farther, there are examples.
You should also read the database validation docs for a more thorough overview of SQL escaping in WordPress.
Upvotes: 15
Related Questions
- How can I prevent SQL injection in PHP?
- Prevent SQL injection attack in PHP
- anti sql-injection in magento
- Which is the best way to prevent SQL Injection for Wordpress query
- How to prevent SQL Injection for Input Fields?
- Protect against SQL injection
- What are the steps I should take to prevent SQL injection?
- what are the best practices to prevent sql injections
- How to Prevent a site from SQL INJECTION
- what is the best way to prevent sql injection in mysql