Does Wordpress have SQL-injectable exploits when custom SQL is not used?

Question

Don't worry, this question is not a piece of code & a question "is it safe?".

Sql contains words/commands like BEGIN, FOR, LOOP, DECLARE etc & looks totally different. I haven't studied it (yet) but there's not a single sql line in my code (I haven't checked plugins yet but Im sure WP plugins use WP functions).

---

My question: Am I safe again SQL injection if I don't use SQL? I only use PHP, WP functions (for communicating database) and many other languages not related to database. Are WP functions made safe?

It really seems stupid for someone familiar with SQL and there are lots of materials about SQL injection but I can't find answer to this, I really can't.

---

What I mean by WP functions: update_post_meta(); get_user_meta();

Answer 1

No language or platform will ever be safe against any type of injection. There is also no method around to safegaurd any piece of code/language/platform against any type of malicious injection.

The issue is, ace hackers are always a step ahead, and as soon as a new security update becomes available to make something safe, they already have an answer/hack to that update.

Remember, SQL injection is just a small section for malicious injection and definitely not the only way hackers get access to a site. Non sanitized, non validated inputs from form fields and URL's, php used in text areas, etc etc. There are millions of ways to hack a site in extention to SQL injection.

PHP and Wordpress are relatively safe, IF, and ONLY IF

• you are using updated versions (the latest avaiable versions). PHP 5.5 will be EOL'ed July 2016, and still all low cost hosts are using PHP 5.2 and PHP 5.3. These versions don't get security updates anymore and haven't being updated for years due to it not being supported anymore. So having the latest version of WordPress installed on PHP 5.2 is like having strings for jail bars with an unbreakable lock to keep criminals inside.

• The software that you are using to extent, like themes and plugins, have been properly coded. It really does not matter if you have a very safe platform like WordPress but your theme or plugin is using a non santized value from a $_GET variable which can contain malicious code.

As I said, you can never ever stop malicious injection of code, you can only make it harder for hackers to hack your site. Make sure that:

• PHP and WordPress (and don't forget, MYSQL) are up to date

• Before installing any theme or plugin, make sure there are no obvious loopholes like non sanitized data

• NEVER EVER trust any inputs into a site or page, not even from your self. SANITIZE, VALIDATE AND ESCAPE ALL inputs according the the data that is expected from these inputs.

Last, but not least, your service provider. It really does not care if WordPress and PHP is up to date and the hosting provider yoyu are using is using a crappy security system. So make sure that your hosting provider know what they are doing and that security on their side is not an issue

If you follow this, you can have a relatively safe site that hackers in general won't hack easily

Answer 2

From the WordPress Codex on protecting queries against SQL Injection attacks:

<?php $sql = $wpdb->prepare( 'query' , value_parameter[, value_parameter ... ] ); ?>

You should also read the database validation docs for a more thorough overview of SQL escaping in WordPress.

It's not quite possible to do SQL injection, if you implemented your codes properly.But not 100% guaranteed If you are not sure with your self just use standard plugin.