Skip to content
Advertisement

Is this code protected for SQL injection?

is this safe enough? Or should it be improved? Is this code protected for SQL injection? (PHP)

if (isset($_POST['mailSet'])) {
$asd=filter_input(INPUT_POST, 'TypeM', FILTER_SANITIZE_NUMBER_INT);
$zxc=filter_input(INPUT_POST, 'mailFor', FILTER_SANITIZE_NUMBER_INT);
global $wpdb;

try {
    $wpdb->get_row($wpdb->prepare("UPDATE mail_sttng set setting_val=%d
    WHERE setting=1
    ", $asd));
    $wpdb->get_row($wpdb->prepare("UPDATE mail_sttng set setting_val=%d
    WHERE setting=2
    ", $zxc));


bla bla...

Advertisement

Answer

I take it for granted that $wpdb is from the WordPress project.

Then as explained by the documentation, the very purpose of these placeholders is to prevent SQL injections.

Hence you can consider your code safe against SQL injections.

Personally I like to cast my values in the right type as soon as possible, now maybe this is the purpose of filter_input, which I don’t know about.

$asd = (int) filter_input(INPUT_POST, 'TypeM', FILTER_SANITIZE_NUMBER_INT);
$zxc = (int) filter_input(INPUT_POST, 'mailFor', FILTER_SANITIZE_NUMBER_INT);
User contributions licensed under: CC BY-SA
1 People found this is helpful
Advertisement