0

I have made this insert query:

$insertsuccess = $wpdb->insert( 
    'compservices', 
    array( 
                'orderId'=> $orderID,
        'orderedTime' => $date, 
        'useremail' => $customerEmail,
        'address' => $address , 
        'mobile' => $mobile ,
        'servicecenter' => $servicecentername ,
                'timeslot'=> $timeSlot,
                'preferredlanguage'=> $preferredLanguage,
                'status'=> $orderStatus,
                'completedDate'=> $orderCompletionDate,
                'userissue'=> $userIssue ,
                'userproduct'=> $userProduct
    ), 
    array( 
        '%s',
        '%s', 
        '%s',
        '%s',
        '%s',
        '%s',
        '%s', 
        '%s',
        '%s',
        '%s',
        '%s',
        '%s'

    ) 
);
var_dump( $wpdb->last_query );

//echo $wpdb->insert_id;
//$wpdb->print_error();


if($insertsuccess) {
return true;
} else {
 return false;
}

The output of wpdb->last_query is:

string(423) "INSERT INTO `compservices` (`orderId`, `orderedTime`, `useremail`, `address`, `mobile`, `servicecenter`, `timeslot`, `preferredlanguage`, `status`, `completedDate`, `userissue`, `userproduct`) VALUES ('GV2016021757', '2016-02-17 23:20', '[email protected]', 'jnerjnmejnrerr', '9999999999', 'GVONE', '2016-02-18 - 09 AM to 12 PM', 'ENG', 'Ordered', NULL, '', 'kdnsjknjer')"

The actual query is 

string(423) "INSERT INTO `compservices` (`orderId`, `orderedTime`, `useremail`, `address`, `mobile`, `servicecenter`, `timeslot`, `preferredlanguage`, `status`, `completedDate`, `userissue`, `userproduct`) VALUES ('GV2016021757', '2016-02-17 23:20', '[email protected]', 'jnerjnmejnrerr', '9999999999', 'GVONE', '2016-02-18 - 09 AM to 12 PM', 'ENG', 'Ordered', NULL, '<script>alert("hello")</script>', 'kdnsjknjer')"

and data inserted is

all data same as well as the script tags are also there:

<script>alert(\'hello\')</script>

The expectation was wpdb->insert will sanitize the script tags and remove it. It is showing correct in wpdb->last_query. But the data in database has script tags.

I am not able to figure out why this is happening.

Improve this question
1
  • In second last parameter of insert query. I have given input as <script>alert("hello")</script>. In wpdb->last_query, the script tags are replaced but in data base I am seeing script tags are there. Commented Feb 17, 2016 at 17:59

1 Answer 1

Reset to default
1

wpdb::insert will only ensure that data is inserted safely (i.e prevents against SQL injection). It will not sanitize your data (e.g. stripping certain/all HTML), that's down to you.

You can either use wp_strip_all_tags, which removes all HTML, or a variation of wp_kses, which is a sophisticated library for removing certain (x)HTML tags & entitites.

The output of wpdb->last_query is:

You've been tricked! The reason you don't see <script>alert(\'hello\')</script> is because it's being parsed by the browser when you output it - if you escape your debug output you'll see the two are the same:

<?php echo esc_html( $wpdb->last_query ) ?>
Improve this answer
2
  • So to secure from XSS attacks, we need to santize and validate data from our side and wordpress will take care of SQL injection attacks. Right? Commented Feb 18, 2016 at 19:15
  • Correct - WordPress has all the tools, but it's up to you to use them as you see fit. Commented Feb 18, 2016 at 19:18

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.