[wp-hackers] Delete Row After Submit - Undefined
J.D. Grimes
jdg at codesymphony.co
Sat Oct 12 14:00:48 UTC 2013
In this code, you have a potential SQL injection vulnerability:
> <?php
> if (isset($_POST['id'])) {
> $id = $_POST['id'];
> if (isset($_POST['deleteItem'])) {
> get_delete_post_link( get_the_ID( $row['file']));
> $qry = "DELETE FROM wp_jo_plugin_options WHERE id = ".$id.""; // ****** <- HERE *******
> $jo_remove_row = $wpdb->query($qry);
> }
> }
> ?>
You should be using $wpdb->delete() (http://codex.wordpress.org/Class_Reference/wpdb#DELETE_Rows), and you should really also be using nonces (http://codex.wordpress.org/WordPress_Nonces).
Also, I don't understand why you are calling get_delete_post_link(). All that it does is return the URL that a user can visit to delete a post. If you want to delete the attachment, call wp_delete_post() with the attachment ID (http://codex.wordpress.org/Function_Reference/wp_delete_post).
--J.D.
More information about the wp-hackers
mailing list