[wp-hackers] sql injection protected included?
Bjorn Wijers
burobjorn at gmail.com
Tue Feb 28 17:52:04 UTC 2012
Hi,
I was looking at this plugin's file[1] and I was a bit surprised about
it not using wpdb->prepare() for escaping user input in db queries.
I've tried to abuse this (proving this plugin contains a mistake and fix
it), but failed.
It seems that WordPress is using it's own version of magic_quotes()
called wp_magic_quotes() in wp-includes/load.php to actively prevent
single quotes from being used in the wpdb->query()? Btw I'm sure
magic_quotes() is off in my php.ini (although I do use the Suhosin
Path). I'm using PHP 5.3.5.
So why bother with wpdb->prepare() or any other higher level escape
functions if WordPress is already (partially?) taken care of this?
Just wondering, if some other people could have a look at this and
perhaps enlighten me on sql injection protection and best practices (for
WordPress plugins) given that I was under the impression one should
always escape user input.
[1] http://plugins.svn.wordpress.org/i-like-this/trunk/like.php
Thanks in advance,
Grtz
BjornW
More information about the wp-hackers
mailing list