$wpdb, ezSQL class escape/filter or not?

1 Views

My question is about $wpdb methods in wordpress. Before running these methods for example: 

$wpdb->query
$wpdb->get_results
$wpdb->get_var ...

do we need to escape/filter inputs? Is this required/preferred for every method or only some?

Read More

Is this enough for example to deal with all illegal chars (example from wordpress codex) : 

$wpdb->query( 
    $wpdb->prepare( "DELETE FROM $wpdb->postmeta WHERE post_id = '13' AND meta_key = 'gargle'" ,$id, $key )
);

EDIT:

As indicated in the answer bellow, indeed for every single user input you should check parameter values prior insertion to the database. Its not about only security, its about general logic of the web app (for example, parsing something on frontend, will not end up with proper result for end user if data you contain in the database is not something what you expect – even that data is not questionable from security standpoint).

Having this said, the prepare method mentioned above for the wordpress – is the method which will guaranty and remove any security concerns from perspective of sql injection.

Post Views: 1

Related posts

Leave a Reply

1 comment

  1. The example from wordpress codex pages has an error. They should use the %d and %s instead of ’13’ and ‘gargle’:

    $wpdb->query( 
$wpdb->prepare( 
    "DELETE FROM $wpdb->postmeta
     WHERE post_id = %d
    AND meta_key = %s
    ", $id, $key )
);

    However, you should check the variables’ content type every time. You need to insure that the types are correct. For example, check that the ‘post_id’ variable content is an integer.