0

I have written a Wordpress php template to take user input via a HTML form. The information in the form is used to create a new (draft) post. I have escaped all the input using. 

esc_html($_POST['name']);

I also check user input is present before submit. How do I protect against sql injection? Are there another precautions I should take.

user3669639
  • 3
  • 2
  • Hi @user, welcome to SO. This seems like a very google-able question and probably has a duplicate on this very site :) – Ben Mar 25 '15 at 18:13
  • http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – Paul Griffin Mar 25 '15 at 18:47

1 Answers1

0

If you're using the built in functions (such as wp_insert_post) for creating the post then you don't need to worry about SQL injections; WordPress escapes the content before inserting into the database.

If you are running any additional queries, make sure you use $wpdb->prepare() to bind your parameters. The escaping will be taken care of for you.

You should read this article:

https://codex.wordpress.org/Data_Validation#Database

You should also look into adding a nonce to your form:

https://codex.wordpress.org/Function_Reference/wp_nonce_field

Mathew Tinsley
  • 6,805
  • 2
  • 27
  • 37