We get a lot of submissions to the WordPress.org plugin repository, and so there is often a lot of dangerous code submitted. Usually this isn’t malicious, it’s just by people who honestly don’t know that their code has problems. Understanding those problems is the first step to fixing them.
So here’s one common vulnerability we see in code submissions a lot: SQL Injection
To understand SQL Injection, let’s quote Wikipedia for a moment:
SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution
Here’s a piece of code made for WordPress, which is querying the database for a post:
// bad code, do not use $results = $wpdb->get_results( "SELECT * FROM $wpdb->posts WHERE ID = $id" );
If you don’t see the problem with this code right away, then you should continue reading this post.
(Yes, this article shows the basics of the prepare() function. If you already know about the prepare() function, you might be shocked at the number of people who do not.)