Yogesh Chauhan's Blog

WordPress plugin development: How to fix a SQL injection?

in WordPress on July 6, 2021

Similar Read:

Review an intentionally vulnerable plugin in WordPress

SQL injection Vulnerability

This vulnerability can be exploited by an attacker to modify your database queries, read some sensitive info from the database or even execute some commands on the database server. If the plugin allows an input from an untrusted user then attacker can use that as an advantage and add some malicious code as an input and alter some queries.

Let’s look at the first SQL injection vulnerability.

SQL injection vulnerability is caused by the incorrect usage of the wpdb::prepare() method on line 42:

//vulnerable usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES ('$login', '$pass', '$ip', '$time')" ) 

From WordPress 3.5, you need to pass two arguments in your prepare() method. When you use $wpdb->prepare(), use placeholders, such as %s and %d, as your query string’s first argument. %d is used for decimal/integer values and %s is used for string values.

The actual variables are passed in a separate argument and escaped before actually creating the query.

SQL injection Vulnerability Fix

This is how you can fix it:

//correct usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES (%s, %s, %s, %s)", 
  $login, $pass, $ip, $time )

Refer to this vulnerable.php file on Github. On lines 102 and 127, you’ll find more SQL injection vulnerabilities. Those are caused by incorrectly escaping user input.

If you want to use the esc_sql() function escape the user input then it should be used within quotes. In those queries, the user input is not used in a quoted context of an SQL query. Those queries are using inputs from users as a numeric arguments without enclosing in quotes!

Credit goes to Jon Cave’s post: How to fix the intentionally vulnerable plugin

Most Read

#1 Solution to the error “Visual Studio Code can’t be opened because Apple cannot check it for malicious software” #2 How to add Read More Read Less Button using JavaScript? #3 How to check if radio button is checked or not using JavaScript? #4 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to uninstall Cocoapods from the Mac OS?

Recently Posted

#Apr 8 JSON.stringify() in JavaScript #Apr 7 Middleware in NextJS #Jan 17 4 advanced ways to search Colleague #Jan 16 Colleague UI Basics: The Search Area #Jan 16 Colleague UI Basics: The Context Area #Jan 16 Colleague UI Basics: Accessing the user interface
You might also like these
An Example of Cross-site Scripting (XSS) Attack in PHP and How to Avoid It?PHPHow to convert a number rounding to a specified number of decimals in JavaScript?JavaScriptHow to use images instead of HTML radio buttons using CSS?CSSHow to create a function in SCSS (Sass)?SCSSAn Introduction to wp-config file in WordPressWordPressHow to create a multisite network in WordPress?WordPress