[wp-hackers] Delete Row - Refreshes Page but not DB

Nikola Nikolov nikolov.tmw at gmail.com
Sat Oct 19 16:26:01 UTC 2013 

PS: I would do a dispute on Freelancer.com(if that's where you hired your
guy) - that's clearly not a good quality code. And as Otto pointed out it's
a potential security hole to your site(or what could be even worse -
plugin). You might be able to get your money back, or get the job done
better.


On Sat, Oct 19, 2013 at 5:08 PM, Otto <otto at ottodestruct.com> wrote:

> On Sat, Oct 19, 2013 at 2:21 AM, BenderisGreat
> <greglancaster71 at gmail.com> wrote:
> > *and finally, here is the ajax call (which isnt written how you suggested
> > using ajaxurl in wordpress)*
> >
> >
> > <?php
> >     if ( !isset($wp_did_header) ) {
> >     $wp_did_header = true;
> >     require_once('../../../wp-load.php' );
> >     wp();
> >     require_once( ABSPATH . WPINC . '/template-loader.php' );
> >
> > }
> > global $wpdb;
> > if (isset($_REQUEST['id'])) {
> >         $id = $_REQUEST['id'];
> >         $file = $wpdb->get_var("select file from wp_jo_plugin_options
> WHERE id =
> > $id");
> >         //wp_delete_attachment( $file );
> >         $qry2 = $wpdb->prepare("CREATE TABLE IF NOT EXISTS t2  AS SELECT
> * from
> > wp_jo_plugin_options WHERE id = %s", $id);
> >         $jo1 = $wpdb->query($qry2);
> >         $qry = $wpdb->prepare("DELETE FROM wp_jo_plugin_options WHERE id
> = %s",
> > $id);
> >         $jo_remove_row = $wpdb->query($qry);
> >         }
> >         if (isset($_REQUEST['undo'])) {
> >         $undo = $_REQUEST['undo'];
> >         $qry2 = $wpdb->prepare("insert ignore into wp_jo_plugin_options
> SELECT *
> > from  t2 WHERE id = %s", $undo);
> >         $jo_remove_row = $wpdb->query($qry2);
> >         }
> > ?>
> >
> >
> > *Now - I have no idea is this is bad code, but it does not match the same
> > layout you suggested.  Is this safe? It cost me about 100 bucks on
> > freelancer.com.  :-/*
>
>
> No, that code is not safe. This code at the start, for example, is an
> SQL Injection vulnerability:
>
> if (isset($_REQUEST['id'])) {
>          $id = $_REQUEST['id'];
>          $file = $wpdb->get_var("select file from wp_jo_plugin_options
> WHERE id = $id");
>
> Because he's not prepare'd or otherwise sanitizing the id parameter,
> it's easy to inject something there.
>
> In general, anytime you include wp-load.php directly, you're probably
> doing-it-wrong. The ajaxurl callback method suggested earlier is
> better all around.
>
>
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>

More information about the wp-hackers mailing list