Is prepare required for Wordpress?

BeycanPress · November 20, 2020, 7:34pm

Hi I have a wordpress plugin and I want to ask something, is prepare required for database operations before sending to envato? Or for which it is mandatory for which ones.

Because somewhere, prepare prevents my code from running and I don’t get data from the user. I get data from the page on wp-admin with get.

Output prepare:
SELECT * FROM wp_lsph_search_words ORDER BY ‘how_much_searched_total’ ‘desc’

My code

    $orderby = isset( $_GET['orderby'] ) ? strval( $_GET['orderby'] ) : "how_much_searched_diary";
    $order = isset( $_GET['order'] ) ? strval( $_GET['order'] ) : "DESC";

    global $wpdb;
    $lsph_table = $wpdb->prefix . "lsph_search_words";

    $query = $wpdb->prepare( "SELECT * FROM `$lsph_table` ORDER BY %s %s", array( $orderby, $order ) );
    $searched_list = $wpdb->get_results( $query );

hevada · November 21, 2020, 3:12pm

Hi!

(if you’re reading this in your email client, please read it in the forums, to see the code formatted correctly)

First of all, never pass variables you’re getting from the user’s input (_GET, _POST) without escaping them properly. Not escaping them can lead to major SQL injection attacks. When working with such variables, follow the rule “Trust nobody, trust nothing!”. Always escape and validate your variables before passing them to SQL statements.

So, to escape your variables, first you’ll have to do something like this:
```
$orderby = isset( $_GET['orderby'] ) ? mysql_real_escape_string($_GET['orderby'] : 'how_much_searched_diary';
$order = isset( $_GET['order'] ) ? mysql_real_escape_string($_GET['order'] : 'DESC';
```
Second, you’re getting that incorrect prepare output because wpdb->prepare always quotes the variables. So, you don’t have to use $wpdb->prepare() for ORDER BY clauses. To add ORDER and ORDER BY variables, you only have to concatenate them to the SQL statement like this:

$sql = "SELECT * FROM $lsph_table ORDER BY " . $orderby . " " . $order;
$query = $wpdb->prepare( $sql );
$searched_list = $wpdb->get_results( $query );
Third, again, wpdb->prepare is used also to prevent SQL injection attacks. And it is mandatory before executing a query. Based on the same principle “Trust nobody”.

BeycanPress · November 21, 2020, 3:51pm

Hello

Call to undefined function mysql_real_escape_string() what?

BeycanPress · November 21, 2020, 3:55pm

So does wordpress need prepare for wpdb-> insert and wpdb-> update? Because there is no such parameter, it takes the data directly as an array.

hevada · November 21, 2020, 4:11pm

In PHP 7 it was removed, but see this: https://www.php.net/manual/en/function.mysql-real-escape-string.php

also: https://wordpress.stackexchange.com/questions/295820/escaping-encoding-data-before-insert-into-a-database

BeycanPress · November 21, 2020, 5:45pm

I’m using sanitize_text_field. Thank you.

BeycanPress · November 21, 2020, 5:46pm

My post method function Is it okay?

function lsph_post( $post, $type ){

$result = ( isset( $_POST[$post] ) ) ? $_POST[$post] : null;
if ( $type == "str" ) {
    $result = strval( $result );
    if ( ! is_string( $result ) )
        return "invalid";

    $result = sanitize_text_field( $result );
}

$result = trim( $result );
return $result;

}