Here is a small PHP programming trick to prevent SQL injection in WordPress.

What is SQL injection?

SQL injection is a hacking technique in which an illegal string is given to the SQL statement used to retrieve information from a database to retrieve unintended information or write incorrect data to the database.

"SELECT * FROM users WHERE email = '". $_GET['email']."'"

For example, if the above code was included in WordPress, a hacker could send data from the browser to

SELECT * FROM $wpdb->users WHERE email = 'aaa@aaa.com' or 1 = 1

and have them execute a SQL statement such as In this case, 1=1 will always be true, so there is a possibility that all users’ information could be pulled out.

How to write PHP programming to prevent SQL injection in WordPress

If you insert a process called escaping, which converts the processing characters specific to SQL statements as mere strings, it becomes difficult to illegally execute the SQL statement processing itself.

WordPress has a built-in SQL statement escaping function called esc_sql.

statement converted to non-executable string=esc_sql($_GET['email']);

Besides, SQL injection can also be prevented by replacing SQL statements by explicitly specifying strings or numbers in a process called Prepare.

Escaped SQL statement = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE email = %s or ID = %d", $_GET['email'], $_GET['id'])

prepare causes %s to be escaped and assigned as a simple string with first factor $_GET[’email’], and %d to be escaped and assigned as a number $_GET[‘id’].

[Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].