ANTI scriptinjection on Templates-Pages MySQL

You use the “prepare” member function to sanitise all user inputs going into your SQL, validate the fields as best you can.

i dont know about it, i will investigate tanks
Ross

By experience I recommend you not to write raw SQL queries in your application unless you know the consequences and vulnerabilities that could be opened through that code.

In my work I see many websites hacked every day because of this, and WordPress is not the friendliest environment to work with magic functions. You should use the built-in functions to interact with the database, or at least use “prepare” [1] as @rossmitchell suggested.

Anyway, if you still want to take the risk to write raw SQL queries, you may want to check the official documentation [2] which includes examples of how to CRUD (Create, Read, Update, and Delete) the database manually; maybe you already saw that link, but I still want to leave this information here for future references.

[1] https://developer.www.ads-software.com/reference/classes/wpdb/prepare/
[2] https://codex.www.ads-software.com/Class_Reference/wpdb

allright thanks a lot @yorman

prepare is for external DB?
if some one has a code example could be usefull

thank you

prepare is for external DB?

prepare is for EVERY database call. No exceptions. ??

For an example…

gobal $wpdb;

$post_id = $_POST ['id']; // Never trust user-submitted values!

$query = $wpdb->prepare( "SELECT ID, post_title from " . $wpdb->posts  ." WHERE ID = %d", $post_id );

$result = $wpdb->get_row( $query );

For more information on how to use this, read on here:

https://codex.www.ads-software.com/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks

i have a few Q.,, if a had a array like

$Nmb=$_POST[‘Nmb’];
$ApPtr=$_POST[‘ApPtr’];
$ApMtr=$_POST[‘ApMtr’];
$Tel=$_POST[‘Tel’];
$Telmov=$_POST[‘Telmov’];
$Email=$_POST[‘Email’];

and for read is the same?

If you are using those values with a database, then yes, all user-input values should be escaped for every query.

for exmaple:

$post_id = $_POST [‘id’];
$Nmb = $_POST [‘Nmb’];

$query = $wpdb->prepare( “SELECT ID, post_title from ” . $wpdb->posts .” WHERE ID = %d”, $post_id );

$query = $wpdb->prepare( “SELECT ID, post_title from ” . $wpdb->posts .” WHERE ID = %d”, $Nmb );

Yes that looks correct.

i don have to make conection of anything DB?

and what about if i want to read that info into a PHP – PAGE / Template

and what is post_title
its a table?

$query = $wpdb->prepare( “SELECT ID, post_title from ” . $wpdb->posts .” WHERE ID = %d”, $post_id );

i don have to make conection of anything DB?

That’s what the $wpdb object is. You don’t need to do anything else.

and what about if i want to read that info into a PHP – PAGE / Template

https://codex.www.ads-software.com/Class_Reference/wpdb

Read up on that. It will explain how it all works.

and what is post_title ts a table?

NO. post_title is a coloumn in the wp-posts table. Have a look at the database structure and you’ll see that for yourself very easily.

very well

i will read that up,

thank you very much