Title: Plugin possibly vunerable to SQL injection Last modified: July 26, 2018 --- # Plugin possibly vunerable to SQL injection * Resolved [jakdaniel5](https://wordpress.org/support/users/jakdaniel5/) * (@jakdaniel5) * [7 years, 10 months ago](https://wordpress.org/support/topic/plugin-possibly-vunerable-to-sql-injection/) * The plugin does not correctly prepare the data before posting it to the database. * In my apache error log I noticed this (I have replaced personal data with xx s: * `WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near' xx@xx.org.uk', '185.73.xx.xx', '2018-07-26 12:47:03', ' at line 1 for query INSERT INTO wp_ualp_user_activity (post_id,post_title,user_id, user_name, user_role, user_email, ip_address, modified_date, object_type, action) VALUES ('1843','',' 41', 'xx xx', 'Subscriber, Participant, Volunteer Network Member','xx'xx@xx.org. uk', '185.73.xx.xx', '2018-07-26 12:47:03', 'reply', 'reply updated') made by require('wp-blog-header.php'), require_once('wp-includes/template-loader.php'), do_action('template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, bbp_template_redirect, do_action('bbp_template_redirect'), WP_Hook->do_action, WP_Hook->apply_filters, bbp_post_request, do_action('bbp_post_request'), WP_Hook->do_action, WP_Hook- >apply_filters, bbp_new_reply_handler, wp_insert_post, do_action('save_post'), WP_Hook->do_action, WP_Hook->apply_filters, ual_shook_transition_post_status, ual_get_activity_function, ual_user_activity_add, referer: https://xx.co.uk/groups/ xx/forum/topic/please-reply-to-me/` * It appears that none of the SQL statements are being prepared properly for database inserts (in user_functions.php line 118): * ``` function ual_user_activity_add($post_id, $post_title, $obj_type, $current_user_id, $current_user, $user_role, $user_mail, $modified_date, $ip, $action) { global $wpdb; $table_name = $wpdb->prefix . "ualp_user_activity"; $post_title = addslashes($post_title); $insert_query = $wpdb->query("INSERT INTO $table_name (post_id,post_title,user_id, user_name, user_role, user_email, ip_address, modified_date, object_type, action) VALUES ('$post_id','$post_title','$current_user_id', '$current_user', '$user_role','$user_mail', '$ip', '$modified_date', '$obj_type', '$action')"); } ``` * This opens up the plugin to possible SQL injection attacks most likely through a malicious email address that contains ‘ characters! It also means that users with email names such a O’Toole@ or O’Donnell@ with cause database errors. Viewing 2 replies - 1 through 2 (of 2 total) * Plugin Contributor [khushbu padalia](https://wordpress.org/support/users/khushbupadalia/) * (@khushbupadalia) * [7 years, 9 months ago](https://wordpress.org/support/topic/plugin-possibly-vunerable-to-sql-injection/#post-10613544) * Hi [@jakdaniel5](https://wordpress.org/support/users/jakdaniel5/), * Thank you for notifying us. We will check and resolve it in next version of plugin. * Thank you and regards, Solwin Infotech * Thread Starter [jakdaniel5](https://wordpress.org/support/users/jakdaniel5/) * (@jakdaniel5) * [7 years, 8 months ago](https://wordpress.org/support/topic/plugin-possibly-vunerable-to-sql-injection/#post-10681035) * I added: * $user_email = addslashes($user_email); * just after line 121 of user_functions.php, before the insert query in function‘ ual_user_activity_add’ Viewing 2 replies - 1 through 2 (of 2 total) The topic ‘Plugin possibly vunerable to SQL injection’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/user-activity-log_2b5346.svg) * [User Activity Log](https://wordpress.org/plugins/user-activity-log/) * [Frequently Asked Questions](https://wordpress.org/plugins/user-activity-log/#faq) * [Support Threads](https://wordpress.org/support/plugin/user-activity-log/) * [Active Topics](https://wordpress.org/support/plugin/user-activity-log/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/user-activity-log/unresolved/) * [Reviews](https://wordpress.org/support/plugin/user-activity-log/reviews/) * 2 replies * 2 participants * Last reply from: [jakdaniel5](https://wordpress.org/support/users/jakdaniel5/) * Last activity: [7 years, 8 months ago](https://wordpress.org/support/topic/plugin-possibly-vunerable-to-sql-injection/#post-10681035) * Status: resolved