achhunna
commented
7 years ago I thought prepared statements don't allow sql injection?
Open caleb99 opened 7 years ago
achhunna
commented
7 years ago I thought prepared statements don't allow sql injection?
caleb99
commented
7 years ago https://developer.wordpress.org/reference/classes/wpdb/prepare/#source
if you use them to compile the statement via the argument method. When you pass in string / number values it will compile the query correctly. If there is a raw string passed in the query though, you could try to bust it and insert other SQL (especially if you are passing directly to another function that will execute the query).
achhunna
commented
7 years ago Ah yes, I missed that part. So for L31 $fields variable, should we pass it through a function like addslashes( $fields )?
caleb99
commented
7 years ago yeah - let's do that for now. I'll see if I can prototype something that could be nifty.
https://github.com/achhunna/Tally/blob/master/tally-functions.php#L31 https://github.com/achhunna/Tally/blob/master/tally-functions.php#L64
let's make sure all variables are validated and passed in via wpdb's prepare statement to avoid any potential SQL injection issues down the road (less of an issue on L64, because that's a defined variable).