SQL Injection
SQL Injection is an attack where malicious SQL code is inserted into application queries, allowing attackers to read, modify, or delete database data.
How it works
SQL injection happens when user input is concatenated directly into SQL queries without sanitization. An attacker can manipulate the query structure to access unauthorized data, modify records, or even execute administrative operations on the database. In WordPress, this commonly occurs when developers use $wpdb->query() with string interpolation instead of $wpdb->prepare() with parameterized placeholders.
In WordPress
WordPress provides $wpdb->prepare() as the standard defense. It uses printf-style placeholders (%s for strings, %d for integers, %f for floats) and automatically escapes the values. For LIKE queries, use $wpdb->esc_like() before passing to prepare().
Code example
// Vulnerable
$wpdb->query("SELECT * FROM users WHERE id = $id");
// Safe
$wpdb->query($wpdb->prepare(
"SELECT * FROM users WHERE id = %d", $id
));
Related terms
WP HealthKit checks for SQL Injection-related vulnerabilities automatically
Run a Free Audit