How to sanitize this particular mysql query?

i got this SQL query where post_title taken from $_GET

$sql = “SELECT ID FROM posts WHERE posts.post_title = ‘5-design-web-colourful’”;

Read More

What is the best way to sanitize this and make it more safe ?

EDIT : (as requested) I’m trying to create a plugin that work to hide a particular category (named private) and all of its post for every non-logged guest. i have hook into ‘pre_get_posts’ and ‘posts_selection’ able to control how to show particular posts and category for admin, the member who wrote them, other member, and guest.

The category must be non exist. so it can not be shown on cat archive page in front end.

I know it’s not relatedto the question cause what iask just how to sanitize name / title of a post. nothing more.

Related posts

Leave a Reply

2 comments

  1. While this doesn’t directly answer your question, the better approach is to use bind parameters. This protects you from all attack vectors of this category.

    http://php.net/manual/en/pdo.prepared-statements.php

    http://www.php.net/manual/en/pdostatement.bindparam.php

    For your example:

    $sth = $dbh->prepare("select id from $wpdb->posts where $wpdb->posts.post_title = ?");
    $sth->bindParam(1, $str);
    $sth->execute();
    

    CAUTION: This assumes that $wpdb is safe!