Yogesh Chauhan's Blog

WordPress plugin development: How to fix a SQL injection?

in WordPress on July 6, 2021

Similar Read:

Review an intentionally vulnerable plugin in WordPress

SQL injection Vulnerability

This vulnerability can be exploited by an attacker to modify your database queries, read some sensitive info from the database or even execute some commands on the database server. If the plugin allows an input from an untrusted user then attacker can use that as an advantage and add some malicious code as an input and alter some queries.

Let’s look at the first SQL injection vulnerability.

SQL injection vulnerability is caused by the incorrect usage of the wpdb::prepare() method on line 42:

//vulnerable usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES ('$login', '$pass', '$ip', '$time')" ) 

From WordPress 3.5, you need to pass two arguments in your prepare() method. When you use $wpdb->prepare(), use placeholders, such as %s and %d, as your query string’s first argument. %d is used for decimal/integer values and %s is used for string values.

The actual variables are passed in a separate argument and escaped before actually creating the query.

SQL injection Vulnerability Fix

This is how you can fix it:

//correct usage
$wpdb->query( $wpdb->prepare( 
  "INSERT INTO login_audit (login, pass, ip, time) 
  VALUES (%s, %s, %s, %s)", 
  $login, $pass, $ip, $time )

Refer to this vulnerable.php file on Github. On lines 102 and 127, you’ll find more SQL injection vulnerabilities. Those are caused by incorrectly escaping user input.

If you want to use the esc_sql() function escape the user input then it should be used within quotes. In those queries, the user input is not used in a quoted context of an SQL query. Those queries are using inputs from users as a numeric arguments without enclosing in quotes!

Credit goes to Jon Cave’s post: How to fix the intentionally vulnerable plugin

Most Read

#1 How to check if radio button is checked or not using JavaScript? #2 Solution to “TypeError: ‘x’ is not iterable” in Angular 9 #3 How to add Read More Read Less Button using JavaScript? #4 How to uninstall Cocoapods from the Mac OS? #5 PHP Login System using PDO Part 1: Create User Registration Page #6 How to Use SQL MAX() Function with Dates?

Recently Posted

#Aug 15 Is PHP still good for back-end programming? #Aug 10 How to create a multisite network in WordPress? #Aug 3 How to create a circle that follows a cursor using JavaScript and CSS? #Aug 3 How to make a curtain slider using jQuery and CSS? #Aug 2 How to progressively load images and add a blurry placeholder? #Aug 1 How to create a placeholder loader (throbber) using CSS?
You might also like these
Window setInterval() Method in JavaScriptJavaScriptSolution for Xcode 11 Command PhaseScriptExecution failed with a nonzero exit code errorMiscellaneousbin2hex() and chr() String Functions in PHPPHPCan We Use For Loop to Loop Through Associative Arrays in PHP?PHPWP_Query Class in WordPressWordPressPHP Login System using PDO Part 2: Login using Email or UsernamePHP