Protect queries against SQL injection

  • I am writing a wp plugin. In the admin part, the user can mark with the help of checkboxes what types of posts he wants to select (I get this data from the database). And there is also data that is entered into the form located on the page. And both of these types of data are used in one SQL request.
    The request contains data received from the database (post types) and data from the form.
    For protect queries against SQL injection attacks you need to use
    $sql = $wpdb->prepare( ‘query’ , value_parameter[, value_parameter … ] );
    It is necessary to protect from injection only those data that are received from the form located on the site or those that I received from the database too?

Viewing 2 replies - 1 through 2 (of 2 total)
  • Dion

    (@diondesigns)

    ALL fields submitted from a form should be sanitized before entering into the database. For example, it’s easy for an attacker to change a checkbox to a text field and submit something potentially malicious. Using $wpdb->prepare() is the easiest way to handle the sanitizing, though the function is extremely inefficient and can waste a lot of CPU cycles.

    Thread Starter vrpr

    (@vrpr)

    Thanks for the answer.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Protect queries against SQL injection’ is closed to new replies.