SQL injection security question (Beginner Developer Course)
-
Hi there,
I have been working with WordPress for a number of years, but to ensure I am following current best practice I am doing the Beginner WordPress Developer course on Learn.Wordpress.org.
I have got to the Securely developing plugins and themes page (https://learn.wordpress.org/lesson/securely-developing-plugins-and-themes/).
I have installed the sample plugin and got it working but am stuck on the Sanitizing inputs section:
$name = $_POST['name'];
$email = $_POST['email'];
global $wpdb;
$table_name = $wpdb->prefix . 'form_submissions';
$sql = "INSERT INTO $table_name (name, email) VALUES ('$name', '$email')";
$result = $wpdb->query($sql);As you can see the data is being saved directly to the database, without any sanitization.
This means that if a user were to submit a name of
John'; DROP TABLE form_submissions;--the SQL INSERT query would be run, followed by the DROP query, and the table would be deleted from the database!For purely learning purposes on my dev site, I tried to entering a name of John’; DROP TABLE form_submissions;– into the name field of the form (put on a page using the plugin shortcode) and it seems some kind of sanitization is actually happening?
The data saves as normal despite the SQL injection code. Has something changed to enhance the security?
I also tried adding the table prefix (I’m using the default of ‘wp’):
John'; DROP TABLE wp_form_submissions;--But this did not work either.
Anyone got an answer to this? I obviously don’t strictly need to be able to break my own site (lol) but would be satisfying to know what the issue is here to aid my learning of what to avoid.
When I run the SQL in the DB management tool AdminNeo, the query does do what is expected so it is very strange.
I am running WordPress 7.0 on a local dev environment (LocalWP) using nginx and MySQL 8.0.35 if that’s helpful. Thanks in advance for your support!The page I need help with: [log in to see the link]
You must be logged in to reply to this topic.