WordPress SQL search, how to handle SQL Injection?

The default public search query variable is s but not q.

So when you use q, on a vanilla WP install, no posts filtering is done, as expected.

You don’t have to take care of possible SQL injections, for the default search query, as it’s taken care of by the core.

Here’s an example when we run the test OR 1=1, the WHERE part of the generated SQL search query is:

AND 
(
    (
           (wp_posts.post_title   LIKE '%test%') 
        OR (wp_posts.post_excerpt LIKE '%test%') 
        OR (wp_posts.post_content LIKE '%test%')
    ) 
    AND 
    (
           (wp_posts.post_title   LIKE '%1=1%') 
        OR (wp_posts.post_excerpt LIKE '%1=1%') 
        OR (wp_posts.post_content LIKE '%1=1%')
    )
)

For this case we don’t see the query search string breaking the SQL query.

If on the other hand you’re adding your own search query, e.g. by modifying the main WP_Query by hand, then you need to watch out for possible SQL injections.
The question is sparse on details, but I’m assuming that’s not the case here.

Related Posts:

  1. How to display SQL query that ran in query?
  2. How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
  3. wpdb get posts by taxonomy SQL
  4. Multipart/formatted MySQL query problem
  5. WordPress creating excessive joins on meta_query with search
  6. cron job to auto delete posts of a specific post type older than x days
  7. Are database queries created using WordPress filters protected from SQL injection?
  8. Get posts by category with pure SQL query
  9. Custom query to get terms from post ids
  10. Get the timout value of a saved transient?
  11. What’s wrong with my $wpdb prepare?
  12. How do I see the mysql query generated by get_posts( $args )?
  13. sql select query in wordpress ‘page’ [closed]
  14. problem with sql query in wordpress plugin
  15. Attempt to improve WP search, can someone check my SQL query?
  16. wpdb query problem to access previous 3 days posts
  17. I can’t figure out what’s wrong with this statement. $wpdb->query update
  18. Custom Query – Based on user input
  19. how to insert missing tags into the posts through mySQL?
  20. $wpdb->prepare affecting the query?
  21. exclude pingbacks from wordpress SQL query
  22. prepare function sql safe method
  23. WordPress SQL query to tag all posts containing a specific word on title
  24. Select column name dynamically mySQL Query
  25. How do I query for posts by custom meta and those that have been stickied?
  26. Change pure SQL database query to WordPress post query?
  27. Cannot get sql request from Query object?
  28. I want to get on those users their meta value are like “AGENT” .. but this query is not working
  29. Display data from phpMyAdmin with WordPress
  30. SQL to Query the db and return all posts and it’s metas
  31. SQL query to delete users with multiple meta keys and comments
  32. Nested select statements not working
  33. Speed up search query that searches in post meta?
  34. Are there any best practices for creating a Like/Favourite feature in WordPress using custom MySQL tables and without any plugins?
  35. Fastest and most efficient SQL query to check if UID exists
  36. How to make MySQL search queries with quotes
  37. How i make a custom sql query for Woocommerce
  38. $wpdb query for price in custom field value
  39. Run an update query in a function
  40. How to display a specific category using a custom Query in WordPress?
  41. Slow query when joining wp_posts with a lookup-table?
  42. Wpdb generates too many queries
  43. learn to run wpdb class
  44. SQL Query : how copy all tags of post into their post content in wordpress by sql query
  45. Where can I find the SQL to get the most used information by wordpress database?
  46. Custom Query for wp_posts using wp_postmeta
  47. 3 queries to update WordPress
  48. How can I prevent SQL injection in PHP?
  49. How can I create a meta_query with an array as meta_field?
  50. What SQL Query to do a simple find and replace
  51. Query multiple meta key values?
  52. How to Optimize WP site for millions of posts
  53. What are the common security flaws I need to look for? [closed]
  54. How to get comments by post ID?
  55. Is there a way to list all used/unused WP templates?
  56. Differences between wpdb->get_results() and wpdb->query()
  57. Is there a way of increasing the speed of this query?
  58. Get all image from single page using this query
  59. WordPress it’s cleaning a custom query_var to avoid sql injections?
  60. How can I query all users who registered today?
  61. Get Terms by IDs with IDs order
  62. Reversing the order of posts AFTER the query is performed
  63. what are the numbers between curly brackets in search query
  64. simple sql query on wp_postmeta very slow
  65. Using WordPress public query variables
  66. How to rename a custom field?
  67. When/why does ‘$query->get( ‘tax_query’ );’ return empty?
  68. How to get link and title of next and previous post on single page
  69. Create pagination and order according to alphabet
  70. How to List Events by Year and Month Using Advanced Custom Fields?
  71. Is there any difference between hooks posts_where with posts_join and posts_search performance wise?
  72. wordpress query – orderby child post date
  73. How many WordPress SQL Queries per page?
  74. How to display Section for certain time
  75. Add multiple value to a query variable in WordPress
  76. Search custom post type by meta data
  77. Custom query_var causes displaying posts archive on front page
  78. Slow wp_enqueue_media()
  79. What is the most efficient way of implementing a favorite post system?
  80. Remove [gallery] shortcode altogether
  81. Compare two numeric custom fields
  82. wp_dropdown_categories with multiple select
  83. Advanced Custom Fields – Query Efficiency
  84. Alter query on edit.php
  85. Why does get_the_time(‘F j’) return November 30 for all posts?
  86. Query by one meta_key and sort by another (possibly NULL value)
  87. How to tune search argument in WP_Query to show only exactly the same results?
  88. Custom query filter not working on woocommerce category page
  89. How to delete a transient on post/page publish?
  90. How to make an activities stream mixing posts and comments?
  91. Very slow query
  92. query multiple taxonomy and show post count
  93. Search Terms – Querying on either description__like OR name__like in the same Term Query?
  94. Query & Sort Comments by custom comment meta
  95. How to get my loop to pull posts into three columns
  96. SQL query equivalent to WP User Query
  97. How to display lastest post date in the homepage?
  98. Custom $wpdb Query for Custom Post Type by Category
  99. SQL to update custom post taxonomies
  100. Get a user’s most recent post title
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)