Created
July 5, 2019 19:37
-
-
Save seedprod/5b366557c651f1d408457c819c2f5930 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## Unsafe SQL calls | |
When making database calls, it's highly important to protect your code from SQL injection vulnerabilities. You need to update your code to use prepare() with your queries to protect them. | |
Please review the following: | |
* http://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks | |
* http://codex.wordpress.org/Data_Validation#Database | |
* http://make.wordpress.org/core/2012/12/12/php-warning-missing-argument-2-for-wpdb-prepare/ | |
* http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/ | |
Some examples from your plugin: | |
// Update name | |
$wpdb->update( | |
$tablename, | |
array( | |
'name' => "New Giveaway (ID #$id)", | |
), | |
array( 'id' => $id ), | |
array( | |
'%s', | |
), | |
array( '%d' ) | |
); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment