is this safe enough? Or should it be improved? Is this code protected for SQL injection? (PHP)
if (isset($_POST['mailSet'])) { $asd=filter_input(INPUT_POST, 'TypeM', FILTER_SANITIZE_NUMBER_INT); $zxc=filter_input(INPUT_POST, 'mailFor', FILTER_SANITIZE_NUMBER_INT); global $wpdb; try { $wpdb->get_row($wpdb->prepare("UPDATE mail_sttng set setting_val=%d WHERE setting=1 ", $asd)); $wpdb->get_row($wpdb->prepare("UPDATE mail_sttng set setting_val=%d WHERE setting=2 ", $zxc)); bla bla...
Advertisement
Answer
I take it for granted that $wpdb
is from the WordPress project.
Then as explained by the documentation, the very purpose of these placeholders is to prevent SQL injections.
Hence you can consider your code safe against SQL injections.
Personally I like to cast my values in the right type as soon as possible, now maybe this is the purpose of filter_input
, which I don’t know about.
$asd = (int) filter_input(INPUT_POST, 'TypeM', FILTER_SANITIZE_NUMBER_INT); $zxc = (int) filter_input(INPUT_POST, 'mailFor', FILTER_SANITIZE_NUMBER_INT);