[resolved] Object of class wpdb could not be converted to string (4 posts)

  1. WPOldSkool
    Posted 4 years ago #

    Been running 3.1 Multi Site for a while and came accross this whilst developing a plugin on my local host server.

    $wpdb->query( $wpdb->prepare( "DELETE FROM $wpdb->$ossf_quotes WHERE user_email = '$ossf_email' " ));

    Realise it could be a problem already solved but if not -----------

  2. Andrew Nacin
    Lead Developer
    Posted 4 years ago #

    As of right now, your query is insecure, and if $ossf_email comes from input, it's vulnerable to SQL injection. Wrapping something in prepare isn't enough, you need to actually prepare it.

    $wpdb->prepare( "DELETE FROM $wpdb->$ossf_quotes WHERE user_email = %s", $ossf_email );

    If I had to guess, your issue has to do with $wpdb->$ossf_quotes, but this isn't a core issue. I'd check each instance of $wpdb and make sure you're using them properly.

  3. WPOldSkool
    Posted 4 years ago #

    Hi Andrew
    Meant to post problem as solved yesterday but got over whelmed.
    The problem was with the $wpdb as you rightly state but was with me calling the prefix twice inadvertently as it was already called in the $ossf_quotes variable.
    Hope I didn’t waste your time. The security issue is in hand and will be included in the completed code.

  4. Andrew Nacin
    Lead Developer
    Posted 4 years ago #

    Glad I could help.

Topic Closed

This topic has been closed to new replies.

About this Topic