Title: SQL injection in api_user_id usage (?)
Last modified: August 31, 2016

---

# SQL injection in api_user_id usage (?)

 *  Resolved [uberspot](https://wordpress.org/support/users/uberspot/)
 * (@uberspot)
 * [10 years ago](https://wordpress.org/support/topic/sql-injection-in-api_user_id/)
 * Hi,
 * in `lib/shortcode/shortcode.ajax.php`
    you get the api_user_id from the GET parameter.
 *     ```
       function Zotpress_shortcode_AJAX() {
           ...
           $zp_api_user_id = $_GET['api_user_id'];
           ...
           $zp_account = zp_get_account ($wpdb, $zp_api_user_id);
       ```
   
 * You then use that api_user_id in the functions `zp_get_account`, `zp_get_accounts`
   and `zp_clear_cache_for_user` in `lib/request/request.function.php` which do 
   SQL queries with the `wpdb->get_results` function but don’t do `wpdb->prepare`
   on the input.
 *     ```
       function zp_get_account ($wpdb, $api_user_id_incoming=false)
       {
           if ($api_user_id_incoming !== false)
               $zp_account = $wpdb->get_results("SELECT * FROM
       ".$wpdb->prefix."zotpress WHERE api_user_id='".$api_user
       _id_incoming."'");
       ```
   
 * I might be mistaken but with a brief glimpse I don’t see where the api_user_id
   is validated/sanitized in which case there is an sql injection vulnerability.
   Am I missing something? Is some wordpress function escaping that user input?
 * Helpful resources:
    [https://developer.wordpress.org/plugins/security/securing-input/](https://developer.wordpress.org/plugins/security/securing-input/)
   [http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/](http://ottopress.com/2013/better-know-a-vulnerability-sql-injection/)
 * [https://wordpress.org/plugins/zotpress/](https://wordpress.org/plugins/zotpress/)

Viewing 1 replies (of 1 total)

 *  Plugin Author [Katie](https://wordpress.org/support/users/kseaborn/)
 * (@kseaborn)
 * [9 years, 11 months ago](https://wordpress.org/support/topic/sql-injection-in-api_user_id/#post-7338041)
 * Nice catch. This will be fixed in 6.1.3.

Viewing 1 replies (of 1 total)

The topic ‘SQL injection in api_user_id usage (?)’ is closed to new replies.

 * ![](https://ps.w.org/zotpress/assets/icon-256x256.png?rev=1995512)
 * [Zotpress](https://wordpress.org/plugins/zotpress/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/zotpress/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/zotpress/)
 * [Active Topics](https://wordpress.org/support/plugin/zotpress/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/zotpress/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/zotpress/reviews/)

 * 1 reply
 * 2 participants
 * Last reply from: [Katie](https://wordpress.org/support/users/kseaborn/)
 * Last activity: [9 years, 11 months ago](https://wordpress.org/support/topic/sql-injection-in-api_user_id/#post-7338041)
 * Status: resolved