How to prevent SQL Injection in Wordpress?

Question

I'm currently using the following query to get values in mysql using php:

The code is working, but now I'm worried about sql injections.

How to prevent SQL injection?

<?php include_once("wp-config.php");
@$gameid = $_GET['gameid'];

global $wpdb;
$fivesdrafts = $wpdb->get_results( 
    "
    SELECT ID
    FROM $wpdb->posts
    WHERE  ID = ".$gameid." 

    "
);
?>

is this safe?

<?php include_once("wp-config.php");
@$gameid = mysql_real_escape_string($_GET['gameid']);

global $wpdb;
$fivesdrafts = $wpdb->get_results(
$wpdb->prepare(
    "
    SELECT ID
    FROM $wpdb->posts
    WHERE  ID = %d", ".$gameid.")
);
?>

rnevius · Accepted Answer · 2014-11-05T09:26:27.710

15

From the WordPress Codex on protecting queries against SQL Injection attacks:

<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

If you scroll down a bit farther, there are examples.

You should also read the database validation docs for a more thorough overview of SQL escaping in WordPress.

edited Nov 05 '14 at 09:26

answered Nov 05 '14 at 09:21

rnevius

26,578
10
58
86

How to prevent SQL Injection in Wordpress?

1 Answers1

Linked

Related