Title: Jonathan Miles's Replies | WordPress.org

---

# Jonathan Miles

  [  ](https://wordpress.org/support/users/jmileswebdev/)

 *   [Profile](https://wordpress.org/support/users/jmileswebdev/)
 *   [Topics Started](https://wordpress.org/support/users/jmileswebdev/topics/)
 *   [Replies Created](https://wordpress.org/support/users/jmileswebdev/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/jmileswebdev/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/jmileswebdev/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/jmileswebdev/engagements/)
 *   [Favorites](https://wordpress.org/support/users/jmileswebdev/favorites/)

 Search replies:

## Forum Replies Created

Viewing 2 replies - 1 through 2 (of 2 total)

 *   Forum: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
   
   In reply to: [SQL injection security question (Beginner Developer Course)](https://wordpress.org/support/topic/sql-injection-security-question-beginner-developer-course/)
 *  Thread Starter [Jonathan Miles](https://wordpress.org/support/users/jmileswebdev/)
 * (@jmileswebdev)
 * [1 week, 4 days ago](https://wordpress.org/support/topic/sql-injection-security-question-beginner-developer-course/#post-18950408)
 * So I went down an interesting rabbit hole with this.
 * It appears this particular vulnerability does not exist in modern WP versions,
   while using the functions in the example:
    1. WP has a magic quotes functionality that automatically escapes quotes in $_POST
       data (for historical compatability reasons, should not be relied upon for security
       today)
    2. If above protection is removed (eg you take out the slashes to manipulate the
       user submitted data in some way), $wpdb->query only allows one SQL query at 
       a time
 * Sources:
   [https://developer.wordpress.org/reference/functions/wp_magic_quotes/](https://developer.wordpress.org/reference/functions/wp_magic_quotes/)
   [https://wordpress.stackexchange.com/questions/21693/wordpress-and-magic-quotes](https://wordpress.stackexchange.com/questions/21693/wordpress-and-magic-quotes)
   [https://wordpress.stackexchange.com/questions/304981/how-to-execute-mulitple-statement-sql-queries-using-wpdb-query](https://wordpress.stackexchange.com/questions/304981/how-to-execute-mulitple-statement-sql-queries-using-wpdb-query)
 * So I got to the point where the malicious user input caused an SQL error, but
   could not drop the DB table. wpdb prevented any DB changes happening due to the
   multiple queries.
 * **The example code is still unsafe though**
   But don’t worry I know the code example
   will be vulnerable in other ways, and is still bad code. Best practice exist 
   for tried and tested reasons.
 * I agree `sanitize` functions and `$wpdb->prepare()` should be used here to handle
   the user input securely.
 * Just thought I would share what I found as may also be insightful for others 
   about how WP works.
 *   Forum: [Developing with WordPress](https://wordpress.org/support/forum/wp-advanced/)
   
   In reply to: [SQL injection security question (Beginner Developer Course)](https://wordpress.org/support/topic/sql-injection-security-question-beginner-developer-course/)
 *  Thread Starter [Jonathan Miles](https://wordpress.org/support/users/jmileswebdev/)
 * (@jmileswebdev)
 * [1 week, 6 days ago](https://wordpress.org/support/topic/sql-injection-security-question-beginner-developer-course/#post-18949459)
 * Thanks threadi for the quick response. I’ll have another look at this following
   your suggestions, cheers

Viewing 2 replies - 1 through 2 (of 2 total)