dots Created with Sketch.
Yogesh Chauhan's Blog

WordPress plugin development: How to fix a SQL injection?

in WordPress on July 6, 2021

Similar Read:

Review an intentionally vulnerable plugin in WordPress

SQL injection Vulnerability

This vulnerability can be exploited by an attacker to modify your database queries, read some sensitive info from the database or even execute some commands on the database server. If the plugin allows an input from an untrusted user then attacker can use that as an advantage and add some malicious code as an input and alter some queries.

Let’s look at the first SQL injection vulnerability.

SQL injection vulnerability is caused by the incorrect usage of the wpdb::prepare() method on line 42:

//vulnerable usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES ('$login', '$pass', '$ip', '$time')" ) 

From WordPress 3.5, you need to pass two arguments in your prepare() method. When you use $wpdb->prepare(), use placeholders, such as %s and %d, as your query string’s first argument. %d is used for decimal/integer values and %s is used for string values.

The actual variables are passed in a separate argument and escaped before actually creating the query.

SQL injection Vulnerability Fix

This is how you can fix it:

//correct usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES (%s, %s, %s, %s)", 
  $login, $pass, $ip, $time )

Refer to this vulnerable.php file on Github. On lines 102 and 127, you’ll find more SQL injection vulnerabilities. Those are caused by incorrectly escaping user input.

If you want to use the esc_sql() function escape the user input then it should be used within quotes. In those queries, the user input is not used in a quoted context of an SQL query. Those queries are using inputs from users as a numeric arguments without enclosing in quotes!

Credit goes to Jon Cave’s post: How to fix the intentionally vulnerable plugin


Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to add Read More Read Less Button using JavaScript? #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Jul 22 Is there a CSS parent selector? #Jul 22 Difference between :where and :is in CSS #Jul 22 Does :is() pseudo selector hint at CSS preprocessing in the future? #Jul 22 Control Scrolling with CSS Scroll Snap #Jul 21 Control rendering using CSS content-visibility property #Jul 21 How to use @supports rule in CSS?
You might also like these
The SQL UNION OperatorSQL/MySQLFlash of Invisible Text and Mitt Romney Web Font ProblemCSSThe SELECT DISTINCT Statement in SQLSQL/MySQLGive buttons accessible namesUI/UXHow to create a simple slider with CSS and jQuery?CSSHow to add new elements with swing animation using JavaScript and CSS?CSS