mysql - Does using the WordPress get_results() database function prevent sql injection -


couldn't seem find answer wondering if following query database vulnerable sql injection.

$searchpostresults = $wpdb->get_results($querysearchvals, object); 

this query used:

global $wpdb; $offset = (isset($_post["moresearchresults"])) ? $_post["searchoffset"] : 0;  $querysearchvals = "     select distinct post_title, id     {$wpdb->prefix}posts     (";  $svals = array(); $svals = explode(" ", $searchval);  $lastindex = intval(count($svals)) - 1; $orderbycasevals = ""; for($i = 0; $i<count($svals);$i++) {     $querysearchvals .= " post_title '%$svals[$i]%' ";     if($i != $lastindex)         $querysearchvals .= " or ";      $orderbycasevals .= " when post_title '%$svals[$i]%' ($i + 2) "; }  $querysearchvals .= ")      , {$wpdb->prefix}posts.post_type = 'post'     , post_status = 'publish'      order case         when post_title '%$searchval%' 1         $orderbycasevals     end     limit $offset, 6; "; 

cheers

ok tadman explained get_results not prevent sql injection attack.

the prepare function needs used.

i have re written above code prevent sql injection:

global $wpdb; $offset = (isset($_post["moresearchresults"])) ? $_post["searchoffset"] : 0;  $querysearchvals = "     select distinct post_title, id     {$wpdb->prefix}posts     (";  $svals = array(); $svals = explode(" ", $searchval);  $lastindex = intval(count($svals)) - 1; $orderbycasevals = ""; for($i = 0; $i<count($svals);$i++) {     $queryprep = $wpdb->prepare(" post_title '%%%s%%' ", $wpdb->esc_like( $svals[$i] ));     $querysearchvals .= $queryprep;     if($i != $lastindex)         $querysearchvals .= " or ";      $queryprep = $wpdb->prepare(" when post_title '%%%s%%' ($i + 2) ", $wpdb->esc_like( $svals[$i] ));     $orderbycasevals .= $queryprep; }  $querysearchvals .= ")      , {$wpdb->prefix}posts.post_type = 'post'     , post_status = 'publish'      order case";  $queryprep = $wpdb->prepare(" when post_title '%%%s%%' 1 ", $wpdb->esc_like( $searchval )); $querysearchvals .= $queryprep; $querysearchvals .= "         $orderbycasevals     end ";  $queryprep = $wpdb->prepare(" limit %d, 12", $offset); $querysearchvals .= $queryprep . ";"; 

Comments

Popular posts from this blog

ZeroMQ on Windows, with Qt Creator -

unity3d - Unity SceneManager.LoadScene quits application -

python - Error while using APScheduler: 'NoneType' object has no attribute 'now' -