0

Question to hacker profesionals.

I checked a lot of similar questions and PHP Manual doc along with W3SCHOOLS and they all use different methods that im going crazy with all the possible methods (not sure which one to use?)

(for example PHP Manual uses bind param function:

$stmt->bind_param('sssd', $code, $language, $official, $percent);

But i couldnt get it working so I used this one:

$queryString = "SELECT * FROM mytable WHERE dom='%s' AND key='%s' AND user_id='%i";
$stmt = $wpdb->get_results( $wpdb->prepare($queryString, $dom, $key, $user_id) );

(I assumed %i is integer and %s is string) - this code works but not sure if it prevents sql injection.

Is this correct and enough to prevent SQL injection? (ps variables are normaly created before this, like $dom = "mydom";)

Thanks a lot!

Coo00000ode BREAKKKKERRRR
  • 1
  • 4

1 Answers1

2

In your example, I see that you are using Wordpress functions so going that route you should consult the documentation for what you are doing, specifically prepare() https://developer.wordpress.org/reference/classes/wpdb/prepare/

Which states "Prepares a SQL query for safe execution..."

So essentially yes you are protecting your query albeit by trusting that Wordpress is doing it correctly internally.

D. Simmons
  • 245
  • 1
  • 8