Prevent from SQL injections in WordPress

Home
/
Blog
/
General
/
Prevent from SQL injections in WordPress

PressTigers

Prevent from SQL injections in WordPress

October 20, 2015
Leave a comment

Web developers must know about SQL injections and how they can protect their queries from them. Using a SQL injection, a front-end user can write an executable SQL query in place of a variable/input field. For instance, a user can input an executable code instead of writing their name or email which can literally do anything in your database.

Writing a single SQL query in a bad format makes your whole database vulnerable for attacks. Here it is a crucial point that your queries should be protected and secure.

This is an example of a simple SQL query which a developer might use:

"SELECT * FROM table_name WHERE column_name =‘value’;"

1	"SELECT * FROM table_name WHERE column_name =‘value’;"

A user can use the following code as an SQL injection and destroy the major functionality of your site:

"SELECT * FROM table_name WHERE column_name = ‘a’;DROP TABLE table_name; SELECT * FROM another_table WHERE ‘column_name’ = ‘value’;”

1	"SELECT * FROM table_name WHERE column_name = ‘a’;DROP TABLE table_name; SELECT * FROM another_table WHERE ‘column_name’ = ‘value’;”

In order to make your queries secure, you need to add

$wpdb->prepare();

1	$wpdb->prepare();

> function in your code. It means that the inputted data will not run as a SQL executable query.

Following is an example of a secure query in WordPress:

global $wpdb;
$wpdb->query($wpdb->prepare( "SELECT * FROM table_name WHERE column_name = %s", $value ));

1 2	global $wpdb; $wpdb->query($wpdb->prepare( "SELECT * FROM table_name WHERE column_name = %s", $value ));

We can also use multiple parameters by using the following format:

global $wpdb;
$wpdb->query($wpdb->prepare( "SELECT * FROM table_name WHERE column_name = %s and meta_value = %s", $value1,$value2));

1 2	global $wpdb; $wpdb->query($wpdb->prepare( "SELECT * FROM table_name WHERE column_name = %s and meta_value = %s", $value1,$value2));

2 thoughts on “Prevent from SQL injections in WordPress”

rivaansh says:

June 22, 2019 at 8:55 am

This article of yours is really very informative. Even someone with just a little to basic programming knowledge can understand and follow it. Thanks for sharing useful information!! I am really impressed to see that you have provided such an interesting information about WordPress.
I was struggling to find such article. Anyways can you suggest me some better option to get Cheap Linux hosting other than redserverhost.com?
Thank you once again!!