Skip to main content
WP HealthKit

SQL Injection

SQL Injection is an attack where malicious SQL code is inserted into application queries, allowing attackers to read, modify, or delete database data.

How it works

SQL injection happens when user input is concatenated directly into SQL queries without sanitization. An attacker can manipulate the query structure to access unauthorized data, modify records, or even execute administrative operations on the database. In WordPress, this commonly occurs when developers use $wpdb->query() with string interpolation instead of $wpdb->prepare() with parameterized placeholders.

In WordPress

WordPress provides $wpdb->prepare() as the standard defense. It uses printf-style placeholders (%s for strings, %d for integers, %f for floats) and automatically escapes the values. For LIKE queries, use $wpdb->esc_like() before passing to prepare().

Code example

// Vulnerable
$wpdb->query("SELECT * FROM users WHERE id = $id");

// Safe
$wpdb->query($wpdb->prepare(
    "SELECT * FROM users WHERE id = %d", $id
));

WP HealthKit checks for SQL Injection-related vulnerabilities automatically

Run a Free Audit
What Is SQL Injection? Prevention Guide for WordPress Plugin Developers | WP HealthKit