Protecting WordPress from SQL Injection Attacks

David Kierznowski at BlogSecurity suggests that WordPress is “insecure by design.” What he means is that in general WordPress does not sanitize MySQL queries. He recommends that WordPress provide “a proper set of SQL safe functions (i.e. $wpdb->escape_int and $wpdb->escape_str” and “use mysql_real_escape_string(), and have clearly defined coding standards and security policies” like Drupal does.

Actually, the development version of WordPress has been implementing a new “prepare” method of the WordPress DB class. The “prepare” method uses vsprintf to makes sure sure, for example, that integers are truly integers, which should accomplish the same thing as Kierznowski’s proposed escape_int and escape_str methods.

And WordPress once actually did use mysql_real_escape_string(), over two and a half years ago. The problem is that WordPress’s minimum requirements specify only that one use PHP version 4.2 or newer. However, mysql_real_escape_string() was not introduced until PHP version 4.3.0, so WordPress had to rely on an alternate way of escaping queries, one that apparently has caused some trouble, so the whole thing was bypassed. However, PHP 4.3.0 functions have crept into development WordPress already, so it’s likely by the time of the next release (version 2.5) in the spring, that the minimum version will have increased and WordPress will be free to use mysql_real_escape_string.