[wp-hackers] sql injection protected included?

Bjorn Wijers burobjorn at gmail.com
Tue Feb 28 17:52:04 UTC 2012


I was looking at this plugin's file[1] and I was a bit surprised about 
it not using wpdb->prepare() for escaping user input in db queries.

I've tried to abuse this (proving this plugin contains a mistake and fix 
it), but failed.

It seems that WordPress is using it's own version of magic_quotes() 
called wp_magic_quotes() in wp-includes/load.php to actively prevent 
single quotes from being used in the wpdb->query()? Btw I'm sure 
magic_quotes() is off in my php.ini (although I do use the Suhosin 
Path). I'm using PHP 5.3.5.

So why bother with wpdb->prepare() or any other higher level escape 
functions if WordPress is already (partially?) taken care of this?

Just wondering, if some other people could have a look at this and 
perhaps enlighten me on sql injection protection and best practices (for 
WordPress plugins) given that I was under the impression one should 
always escape user input.

[1] http://plugins.svn.wordpress.org/i-like-this/trunk/like.php

Thanks in advance,


More information about the wp-hackers mailing list