Does anyone have any advice on the best way to sanitize data before running SQL queries with WPDB in order to prevent SQL injection attacks?
I’ve had a read through the WordPress documentation for the wpdb class which is what I’m using to INSERT/UPDATE/DELETE/SELECT data.
If I understand correctly, for INSERT and UPDATE, there is no need for SQL escaping.
(array) Data to insert (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped).
Again, if I understand the WordPress documentation correctly, SQL escaping needs to be done for DELETE and SELECT queries.
WordPress seems to offer two/three ways of doing this:
<?php $sql = $wpdb->prepare( 'query' [, value_parameter, value_parameter ... ] ); ?>
$wpdb->escape( $text )
Escapes a single string for use in a SQL query. Glorified addslashes().
like_escape( $string )
Sanitizes $string for use in a LIKE expression of a SQL query. Will still need to be SQL escaped (with one of the above functions).
I would appreciate it if someone who’s experienced with these WordPress functions could confirm whether my understanding is correct and help me understand which of those functions would be best suited for dealing with SQL injection attempts.
- The topic ‘Best way to sanitize data before executing WPDB SQL queries?’ is closed to new replies.