Open caleb99 opened 7 years ago
I thought prepared statements don't allow sql injection?
https://developer.wordpress.org/reference/classes/wpdb/prepare/#source
if you use them to compile the statement via the argument method. When you pass in string / number values it will compile the query correctly. If there is a raw string passed in the query though, you could try to bust it and insert other SQL (especially if you are passing directly to another function that will execute the query).
Ah yes, I missed that part. So for L31 $fields variable, should we pass it through a function like addslashes( $fields )?
yeah - let's do that for now. I'll see if I can prototype something that could be nifty.
https://github.com/achhunna/Tally/blob/master/tally-functions.php#L31 https://github.com/achhunna/Tally/blob/master/tally-functions.php#L64
let's make sure all variables are validated and passed in via wpdb's prepare statement to avoid any potential SQL injection issues down the road (less of an issue on L64, because that's a defined variable).