Ben Spi
Reputation: 806
WordPress SQL Injection URL parameter
I wrote a very little WordPress application that uses URL parameter values to generate html content on a public site like this:
URL example:
www.mydomain/?prmtr=Chicago
Code:
$prmtr = isset( $_GET['prmtr'] ) ? $_GET['prmtr'] : 'NewYork';
A possible HTML integration is like this
<h1>Hello Person from <?php echo $prmtr; ?></h1>
Is WordPress doing all the "dirty work" for me, like preventing attackers from injecting SQL commands or other stuff?
Thanks in advance, Ben
Upvotes: 1
Views: 588
Answers (1)
thelastshadow
Reputation: 3654
Nope. That's raw PHP you've got there. You'll have to make it safe yourself.
As long as all you're doing with $prtmr is printing it out you don't need to worry about SQL injection, just XSS attacks.
Upvotes: 3
Related Questions
- Filter URL Query Strings For SQL Injections - PHP
- Creating parameters to stop sql injection
- php sql injection
- Sql injection using php
- how to avoid mysql injection when referencing the web url
- PHP with SQL Injection
- php url parameters
- .NET's SqlParameters in PHP
- GET parameters vulnerable to SQL Injection - PHP
- url Query and Security