WordPress shortcode attributes for database SELECT?

Here’s the SQL query:

  $simplelist = $wpdb->get_results("SELECT `Row1`, `Row2` 
                                      FROM  `table` 
                                      WHERE `Row1` = " . $atts[text] . "
                                      ORDER BY `Row1` ASC");

Lets pretend we’re the computer and run it in our heads, and the first thing that happens is:

$atts[text] // fatal error!

text isn’t defined, you’re missing quotes, but lets fix that and we run into a new issue. If this value is test the result is:

                              SELECT `Row1`, `Row2` 
                                      FROM  `table` 
                                      WHERE `Row1` = test
                                      ORDER BY `Row1` ASC

test is missing quotes, which is why your query doesn’t work.

The Massive Security Hole

Well you might be thinking “But Tom! Lets just surround it in quotes and it’ll be all fine!”, but we have a problem. There’s no preparing of the statement, so all we need to do is break out of the quotes and insert arbitrary SQL statements. Now anywhere that renders shortcodes can be used to dump any table, drop tables, modify data, and so on.

To fix this, and prevent the original problem, use wpdb prepare, e.g.:

$table_name = "wp_myTable";
$myID = 12;

$wpdb->query( $wpdb->prepare( "UPDATE `$table_name` SET `your_column_1` = 1 WHERE `$table_name`.`your_column_id` = %d", $myID ) );

prepare will make sure the value is safely inserted into the query string in the correct format with the right data type.

Or you can just use a custom post type and avoid all the pain, with the free archives/URLs/templates/UIs/caching/REST endpoints/etc

Related Posts:

  1. Check if a value exists in database table
  2. Solution to render Shortcodes in Admin Editor
  3. Include PHP file in Content using [shortcode]
  4. Enabling shortcodes for custom fields
  5. Changing a function in function.php to a shortcode – for listing categories of only a certain post type
  6. how to create shortcode in wordpress
  7. Display random text from a file with the WP built-in AJAX API
  8. Set first oembed in post to a global variable or function
  9. Formatting post content to exclude gallery
  10. Remove images from get_the_excerpt
  11. Problem with extract() with custom shortcode
  12. Using locate-template & shortcodes doesn’t appear to work
  13. Most efficient way to get custom database records from 20 buttons and 20 tables?
  14. Displaying a random user with a shortcode
  15. How to update BuddyPress xprofile fields programmatically? [closed]
  16. Adding body class when post contains a specific shortcode
  17. Function to show only first instance of shortcode
  18. Best Practice for Syncing Local Development With Staging Development [closed]
  19. creating shortcode to pull json array
  20. Is it good practice to use wpdb->query() function?
  21. Check if row exists before inserting
  22. Pass Shortcode Attribute to footer Script
  23. Detect Safari desktop browser and include the detection in a shortcode
  24. My simple custom shortcode is not longer working (possibly due to upgrade to WordPress 4.4 ?)
  25. Display gallery on top before content
  26. List child pages of specific page using shortcode
  27. when I fetch data from remote mysql database in wordpress built in wordpress function is not working?
  28. create shortcode to list users with specific meta key value
  29. Variable if post is sticky in functions.php
  30. Shortcode inserts paragraphs before and after executing shortcode
  31. Updating Media Published Date When Parent Post Is Modified in WordPress
  32. How can I make a widget shortcode to control all the widgets?
  33. Custom shortcodes not inserting into visual composer columns
  34. Setting youtube size in functions.php
  35. Adding a colorbutton in tinymce dialog with current api
  36. Passing variable as add_shortcode argument
  37. Add button to kitchen sink toggle
  38. Get User Login Data (date, time… )
  39. Multisite 404 on pages – rewrite error breaks database
  40. Accessing two databases wordpress
  41. Optimizing a WordPress site
  42. Shortcode parse error – wrong syntax
  43. wp_nonce_field is breaking form for reasons unknown
  44. Testing for a shortcode using a function. 404 page throwing PHP Notice
  45. Echoing function into WordPress NextGen gallery
  46. Output loop to function return?
  47. How to parse a shortcode within a shortcode?
  48. Variables not showing in short code
  49. Woocommerce checkout field
  50. How to include any template using Shortcode fuction?
  51. How can I pass a shortcode value to the head in wordpress functions.php
  52. Native gallery custom html output
  53. Need to convert image url to a Base_64 data url with wordpress function..
  54. dynamic site link for future migration in echo do_shortcode()
  55. Load scripts for do_shortcode( ‘ [ my_shortcode ] ‘ )
  56. Shortcode question
  57. Modify shortcode to work with custom post types
  58. shorthand syntax for custom fields
  59. Shortcode of a function
  60. show all the posts thumbnails
  61. How to add a shortcode to call a function
  62. How can I call a PHP function inside a hardcoded shortcode?
  63. Is it possible to create a shortcode to link to a specific post/page where the tag is just an attribute?
  64. Load templates, pass arguments, and render output from functions.php
  65. How to add if statement on WordPress shortcode output
  66. Passing function arguments via a shortcode
  67. How can I connect to a second database and still be able to use wp functions like get_post_types()?
  68. Pagination not working – FrontPage
  69. Customizing the wp_video_shortcode output with add_filter
  70. Probleme shortcode with list author
  71. Writing a function for WP Cron to run a SQL command daily
  72. Update wp_postmeta table based on 2 keys
  73. Get Shortcode output to database for static post_content
  74. I want to display the sku in the product pages of my EDD website
  75. Shortcode to output category description by passing ID
  76. Help using ShortCodes to style whole chunks of the post
  77. Shortcode to insert default text and change one word throughout it?
  78. use add_action in a shortcode (gravity form – WordPress)
  79. Button click counter for login user
  80. Shortcode displaying outside the div [duplicate]
  81. Shortcode Initialization in a Custom Theme
  82. Show users last read posts for each user?
  83. Get shortcode attribute value to another function
  84. Hide disclaimer from summary excerpts
  85. Function not receiving string from shortcode
  86. Shortcode to eliminate and replace with
  87. Problem in outputting shortcode
  88. Problem in shortcode outputting content
  89. Pull random comment from specific post, display on homepage with shortcode
  90. Set thumbnail from URL, by grabbing image in functions.php
  91. using enqueue_script in a shortcode isn’t working
  92. Gallery Shortcode Function Help
  93. Echo custom field value in shortcode function
  94. Functions file mods and CPU
  95. Shortcodes not outputting in correct divs
  96. trouble with passing class method data to outside function
  97. Get term count on a category page
  98. PHP error in shortcode [closed]
  99. Bulk set Post Title as Tag where Tag is Empty Function
  100. multible shortcodes (for differnt values) with one function