mysql - Does using the WordPress get_results() database function prevent sql injection -

-

couldn't seem find answer wondering if following query database vulnerable sql injection.

$searchpostresults = $wpdb->get_results($querysearchvals, object);

this query used:

global $wpdb; $offset = (isset($_post["moresearchresults"])) ? $_post["searchoffset"] : 0;  $querysearchvals = "     select distinct post_title, id     {$wpdb->prefix}posts     (";  $svals = array(); $svals = explode(" ", $searchval);  $lastindex = intval(count($svals)) - 1; $orderbycasevals = ""; for($i = 0; $i<count($svals);$i++) {     $querysearchvals .= " post_title '%$svals[$i]%' ";     if($i != $lastindex)         $querysearchvals .= " or ";      $orderbycasevals .= " when post_title '%$svals[$i]%' ($i + 2) "; }  $querysearchvals .= ")      , {$wpdb->prefix}posts.post_type = 'post'     , post_status = 'publish'      order case         when post_title '%$searchval%' 1         $orderbycasevals     end     limit $offset, 6; ";

cheers

ok tadman explained get_results not prevent sql injection attack.

the prepare function needs used.

i have re written above code prevent sql injection:

global $wpdb; $offset = (isset($_post["moresearchresults"])) ? $_post["searchoffset"] : 0;  $querysearchvals = "     select distinct post_title, id     {$wpdb->prefix}posts     (";  $svals = array(); $svals = explode(" ", $searchval);  $lastindex = intval(count($svals)) - 1; $orderbycasevals = ""; for($i = 0; $i<count($svals);$i++) {     $queryprep = $wpdb->prepare(" post_title '%%%s%%' ", $wpdb->esc_like( $svals[$i] ));     $querysearchvals .= $queryprep;     if($i != $lastindex)         $querysearchvals .= " or ";      $queryprep = $wpdb->prepare(" when post_title '%%%s%%' ($i + 2) ", $wpdb->esc_like( $svals[$i] ));     $orderbycasevals .= $queryprep; }  $querysearchvals .= ")      , {$wpdb->prefix}posts.post_type = 'post'     , post_status = 'publish'      order case";  $queryprep = $wpdb->prepare(" when post_title '%%%s%%' 1 ", $wpdb->esc_like( $searchval )); $querysearchvals .= $queryprep; $querysearchvals .= "         $orderbycasevals     end ";  $queryprep = $wpdb->prepare(" limit %d, 12", $offset); $querysearchvals .= $queryprep . ";";

Comments

Post a Comment

Popular posts from this blog

ios - MKAnnotationView layer is not of expected type: MKLayer -

-
Image
so code works fine logger riddled message. there way rid of or suppress it? postannotation.swift class postannotation: mkpointannotation { //mark: properties let post: post //mark: initialization init(post: post) { self.post = post super.init() self.coordinate = cllocationcoordinate2d(latitude: post.latitude, longitude: post.longitude) self.title = post.title self.subtitle = post.timestring() } } adding annotation let annotation = postannotation(post: post) self.map.addannotation(annotation) func mapview func mapview(_ mapview: mkmapview, viewfor annotation: mkannotation) -> mkannotationview? { if annotation mkuserlocation { return nil } var annotationview = mapview.dequeuereusableannotationview(withidentifier: "pin") as? mkpinannotationview if annotationview == nil { annotationview = mkpinannotationview(annotation: annotation, reuseidentifier: "pin")
Read more

ZeroMQ on Windows, with Qt Creator -

-
i have installed zmq link given below on windows 7. http://zeromq.org/distro:microsoft-windows 1) have c++ project in qt-creator , i'm using zmq c++ binding (zhelpers.hpp etc). 2) have added .lib installed zmq folder qtcreator 3) while compiling, compiler looks _imp__zmq_verion, in .dll files present in .lib have __imp_zmq_version. 4) causing undefined reference zmq_version. anyone else faced problem , has solution ?
Read more

unity3d - Unity SceneManager.LoadScene quits application -

-
i have 2 different scenes 1 named 'main' , other 'game' both added scenes in load. when use scenemanager.loadscene("game"); works no problem when tried return main scene code if (input.getkeydown (keycode.escape)) { scenemanager.loadscene("main"); } strangely game quits. thanks. sorry interruption. somewhere on other script found code. if (input.getkeydown (keycode.escape)) { application.quit (); } that's bad, know...
Read more