Here is a small PHP programming trick to prevent SQL injection in WordPress.
What is SQL injection?
SQL injection is a hacking technique in which an illegal string is given to the SQL statement used to retrieve information from a database to retrieve unintended information or write incorrect data to the database.
"SELECT * FROM users WHERE email = '". $_GET['email']."'"
For example, if the above code was included in WordPress, a hacker could send data from the browser to
SELECT * FROM $wpdb->users WHERE email = 'aaa@aaa.com' or 1 = 1
and have them execute a SQL statement such as In this case, 1=1 will always be true, so there is a possibility that all users’ information could be pulled out.
How to write PHP programming to prevent SQL injection in WordPress
If you insert a process called escaping, which converts the processing characters specific to SQL statements as mere strings, it becomes difficult to illegally execute the SQL statement processing itself.
WordPress has a built-in SQL statement escaping function called esc_sql.
statement converted to non-executable string=esc_sql($_GET['email']);
Besides, SQL injection can also be prevented by replacing SQL statements by explicitly specifying strings or numbers in a process called Prepare.
Escaped SQL statement = $wpdb->prepare( "SELECT * FROM $wpdb->users WHERE email = %s or ID = %d", $_GET['email'], $_GET['id'])
prepare causes %s to be escaped and assigned as a simple string with first factor $_GET[’email’], and %d to be escaped and assigned as a number $_GET[‘id’].
[Free] WordPress:Malware Scanning & Security Plugin [Malware and Virus Detection and Removal].
