On Mon, 19 Jul 2021 at 12:51, Guilliam Xavier <guilliam.xav...@gmail.com> wrote:
> there was *indeed* an SQL injection vulnerability in that code. Yep, you're right, there was an issue in there as well. esc_like() also needs to use esc_sql() for the value to be added directly to the SQL string. By changing to $wpdb->prepare(), assuming a literal string for the $query argument, then esc_sql() would have been used automatically (technically escape_by_ref). Shall we just put it down as another example of escaping going wrong, why Parameterised Queries work, and how Taint Checking isn't really a solution (as the value was escaped, ish). And if you want another fun one, not that anyone should be using inline JavaScript, but esc_js() doesen't escape single quotes: $variable = '\' onmouseover=alert(1) a=\''; $html = "<a href='#' onclick='alert( \"" . esc_js( $variable ) . "\" );'>Link</a>"; https://developer.wordpress.com/themes/escaping/#javascript Craig
