Title: How do you mitigate SQL injection?
Last modified: October 1, 2017

---

# How do you mitigate SQL injection?

 *  Resolved [awijasa](https://wordpress.org/support/users/awijasa/)
 * (@awijasa)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/how-do-you-mitigate-sql-injection/)
 * Hello,
 * I found a telltale of a SQL Injection prone code in /erp/includes/functions-people.
   php > erp_get_peoples. However, based on my testing it’s probably secure. I want
   to bring it up just to make sure that it’s indeed secure.
 * Here is the line of code I was concerned about in erp_get_peoples:
 * `$type_sql = ( $type != 'all' ) ? "and name = '" . $type ."'" : '';`
 * I thought that I could pass in anything into $type since it’s available on Accounting
   > Sales > Payment.
 * To manipulate the value being passed into $type, I ran this code:
 * `jQuery( "#erp-ac-select-user-for-assign-contact" ).data( "type", "customer' 
   and people.id = '2" )`
 * However, when I test the $final_query value, it was correctly escaped even though
   you don’t use $wpdb->prepare or any other SQL Injection mitigation technique 
   that I am aware of. Here is what I got as the $final_query value:
 * `and name = 'customer\' and people.id = \'2'`
 * So, I am curious about what you did to escape the $type variable.
 * Thanks,
 * [@awijasa](https://wordpress.org/support/users/awijasa/)
    -  This topic was modified 8 years, 8 months ago by [awijasa](https://wordpress.org/support/users/awijasa/).
    -  This topic was modified 8 years, 8 months ago by [awijasa](https://wordpress.org/support/users/awijasa/).
    -  This topic was modified 8 years, 8 months ago by [awijasa](https://wordpress.org/support/users/awijasa/).
 * The page I need help with: _[[log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fhow-do-you-mitigate-sql-injection%2F%3Foutput_format%3Dmd&locale=en_US)
   to see the link]_

Viewing 1 replies (of 1 total)

 *  Thread Starter [awijasa](https://wordpress.org/support/users/awijasa/)
 * (@awijasa)
 * [8 years, 8 months ago](https://wordpress.org/support/topic/how-do-you-mitigate-sql-injection/#post-9547007)
 * Hello,
 * I think the AJAX requests are escaping the args. So, args that reach functions-
   people.php are never unescaped. Please confirm that this is indeed the case and
   that only AJAX requests can reach functions-people.php and mitigate the SQL Injection
   risks.
 * Since args are being escaped by AJAX, there is a side effect. If I enter a Customer
   with Last Name: O’Brien, after creation his last name will be O\’Brien in the
   system.
 * Steps to reproduce:
    1. Open /wp-admin > Accounting > Customers > Add New 2. 
   Enter First Name: Conan, Last Name: O’Brien, Email: [conan@gmail.com](https://wordpress.org/support/topic/how-do-you-mitigate-sql-injection/conan@gmail.com?output_format=md)
   3. Click Add Customer 4. The new Customer’s name on the list will be Conan O\’
   Brien instead of Conan O’Brien
 * Workaround:
    Replace `$main_fields[$key] = $value;` in functions-people.php with:
 *     ```
       if( is_string( $value ) ) {
       	$main_fields[$key] = str_replace( "\'", "'", $value );
       }
       else {
       	$main_fields[$key] = $value;
       }
       ```
   
 * Replace `$meta_fields[$key] = $value;` in functions-people.php with:
 *     ```
       if( is_string( $value ) ) {
       	$meta_fields[$key] = str_replace( "\'", "'", $value );
       }
       else {
       	$meta_fields[$key] = $value;
       }
       ```
   
 * Please let me know if you have any question.
 * Thanks,
 * [@awijasa](https://wordpress.org/support/users/awijasa/)
    -  This reply was modified 8 years, 8 months ago by [awijasa](https://wordpress.org/support/users/awijasa/).

Viewing 1 replies (of 1 total)

The topic ‘How do you mitigate SQL injection?’ is closed to new replies.

 * ![](https://ps.w.org/erp/assets/icon-256x256.gif?rev=3439413)
 * [ERP: Complete HR, Accounting & CRM Suite with WooCommerce CRM Support](https://wordpress.org/plugins/erp/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/erp/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/erp/)
 * [Active Topics](https://wordpress.org/support/plugin/erp/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/erp/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/erp/reviews/)

 * 1 reply
 * 1 participant
 * Last reply from: [awijasa](https://wordpress.org/support/users/awijasa/)
 * Last activity: [8 years, 8 months ago](https://wordpress.org/support/topic/how-do-you-mitigate-sql-injection/#post-9547007)
 * Status: resolved