Jonathan Miles
Forum Replies Created
-
Forum: Developing with WordPress
In reply to: SQL injection security question (Beginner Developer Course)So I went down an interesting rabbit hole with this.
It appears this particular vulnerability does not exist in modern WP versions, while using the functions in the example:
- WP has a magic quotes functionality that automatically escapes quotes in $_POST data (for historical compatability reasons, should not be relied upon for security today)
- If above protection is removed (eg you take out the slashes to manipulate the user submitted data in some way), $wpdb->query only allows one SQL query at a time
Sources:
https://developer.wordpress.org/reference/functions/wp_magic_quotes/
https://wordpress.stackexchange.com/questions/21693/wordpress-and-magic-quotes
https://wordpress.stackexchange.com/questions/304981/how-to-execute-mulitple-statement-sql-queries-using-wpdb-querySo I got to the point where the malicious user input caused an SQL error, but could not drop the DB table. wpdb prevented any DB changes happening due to the multiple queries.
The example code is still unsafe though
But don’t worry I know the code example will be vulnerable in other ways, and is still bad code. Best practice exist for tried and tested reasons.I agree
sanitizefunctions and$wpdb->prepare()should be used here to handle the user input securely.Just thought I would share what I found as may also be insightful for others about how WP works.
Forum: Developing with WordPress
In reply to: SQL injection security question (Beginner Developer Course)Thanks threadi for the quick response. I’ll have another look at this following your suggestions, cheers