[wp-hackers] Delete Row - Refreshes Page but not DB

[Otto]

On Sat, Oct 19, 2013 at 2:21 AM, BenderisGreat
<greglancaster71 at gmail.com> wrote:
> *and finally, here is the ajax call (which isnt written how you suggested
> using ajaxurl in wordpress)*
>
>
> <?php
>     if ( !isset($wp_did_header) ) {
>     $wp_did_header = true;
>     require_once('../../../wp-load.php' );
>     wp();
>     require_once( ABSPATH . WPINC . '/template-loader.php' );
>
> }
> global $wpdb;
> if (isset($_REQUEST['id'])) {
>         $id = $_REQUEST['id'];
>         $file = $wpdb->get_var("select file from wp_jo_plugin_options WHERE id =
> $id");
>         //wp_delete_attachment( $file );
>         $qry2 = $wpdb->prepare("CREATE TABLE IF NOT EXISTS t2  AS SELECT * from
> wp_jo_plugin_options WHERE id = %s", $id);
>         $jo1 = $wpdb->query($qry2);
>         $qry = $wpdb->prepare("DELETE FROM wp_jo_plugin_options WHERE id = %s",
> $id);
>         $jo_remove_row = $wpdb->query($qry);
>         }
>         if (isset($_REQUEST['undo'])) {
>         $undo = $_REQUEST['undo'];
>         $qry2 = $wpdb->prepare("insert ignore into wp_jo_plugin_options SELECT *
> from  t2 WHERE id = %s", $undo);
>         $jo_remove_row = $wpdb->query($qry2);
>         }
> ?>
>
>
> *Now - I have no idea is this is bad code, but it does not match the same
> layout you suggested.  Is this safe? It cost me about 100 bucks on
> freelancer.com.  :-/*


No, that code is not safe. This code at the start, for example, is an
SQL Injection vulnerability:

if (isset($_REQUEST['id'])) {
         $id = $_REQUEST['id'];
         $file = $wpdb->get_var("select file from wp_jo_plugin_options
WHERE id = $id");

Because he's not prepare'd or otherwise sanitizing the id parameter,
it's easy to inject something there.

In general, anytime you include wp-load.php directly, you're probably
doing-it-wrong. The ajaxurl callback method suggested earlier is
better all around.


-Otto