How to Prevent WordPress SQL Injection Attacks

It is difficult to find a common link between CIA, Microsoft, LinkedIn, Yahoo, Sony Pictures and PBS, but they do have something in common. Hackers were able to hack into these organizations and their websites using a technique called SQL injection. SQL abbreviated as Structured Query Language, is used to manage data in the database. Websites are built on the basis of data stored in the database, which is a back end for any Web application. Hacking these databases would provide hackers with account credentials and other important information, along with the power to alter the website content. So what is SQL Injection and how can we prevent it?

How to prevent SQL Injections in WordPress and Data Security Internet

How Does SQL Injection Work?

An SQL injection attack would send malicious codes to the database. These codes find their way through illegal channels such as unfiltered input data. An unfiltered input data refers to an error filled input by any user. The website tries to filter the input errors and save them in the database. Sometimes the error is displayed to the user stating that syntax error has occurred. This indicates a breach in the security system. Any securely coded website would have deleted the error from the hacker’s input.

For example, a hacker inputs a login username as mummy’. Here single apostrophe is an error. The database displays an error, which indicates that the user input has been included in the syntax of the SQL query. This is a major loophole, valuable information that any hacker looks for. A secured website would have corrected the error and allowed only those characters that are relevant. Now with the information that the website is not secured, he would send more sophisticated codes. A very good hacker can get away with information such as table names, fields in the table and other important data.

With the increase in SQL injection attacks, it has become the main priority for any website owner to secure it. Designing a bad database layer is the reason behind these successful attacks. WordPress is the most popular blog publishing tool online. In WordPress, $wpdb class is the database layer built exclusively to prevent these kind of attacks. This class is equipped with some in-built functions to defend these attacks. These functions can be divided into two as validating input and preparing query.

Validating Input:

The validating function takes is used to accept the right input from the user. The functions are listed below.

esc_html ($input): this function is used to get plain text. All the html codes would be eliminated and only the plain text would be accepted.

wp_kses ($string, $allowed_html): this function is used to accept html strings. Apart from the strings, other html tags would be removed.

esc_url($input): this function is used to accept the url typed as input.

is_email($email): this function is used to check the inputs for email address.

intval($input): this function is used to accept integer values.

Preparing a Query:

In programming language, an escape character consists of many escape sequences to control characters. Line break uses the escape sequence \n. similarly, it is good to make sure that query string uses escape sequence before using in the database query. WordPress has built in functions such as esc_sql($query) and $wpdb-escape($query).

There are other ways of prevention against these attacks. As mentioned above, filtering the user data input is one of the main priorities. ModSecurity is an open source Web application firewall that is equipped with a set of protocols to filter dangerous requests. One of these measures can prevent websites for possible SQL injection attacks.

Robin Mckenzie likes writing articles related to Technology, Entertainment, and Finance. He also does guest posting for Centurylink, a site that offers savings and current information on consumers broadband internet and cable.

VN:F [1.9.22_1171]
Rating: 10.0/10 (1 vote cast)
How to Prevent WordPress SQL Injection Attacks, 10.0 out of 10 based on 1 rating

2 Responses to “How to Prevent WordPress SQL Injection Attacks”

  1. Carsten

    Oct 19. 2012

    SQL Injections exist since SQL and query based programming languages exist. always try to secure up your code to prevent hacking and manipulation attacks

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    Reply to this comment
  2. Luis

    Oct 21. 2012

    Thanks for the wordpress security tips. SQL injection is one of popular attacking methods

    VA:F [1.9.22_1171]
    Rating: 0 (from 0 votes)
    Reply to this comment

Leave a Reply