Title: SQL injection vulerability
Last modified: April 20, 2017

---

# SQL injection vulerability

 *  [pwoo](https://wordpress.org/support/users/pwoo/)
 * (@pwoo)
 * [9 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-vulerability/)
 * In wp-athletics-db.php, line 1937 (get_events_for_year), there is an obvious 
   SQL injection vector.
    Essentially, using $data[‘year’] completely unsanitised
   in an SQL statement. The SQL should ideally be converted into a prepared statement,
   but a simple fix would be to sanitise $data[‘year’] before using it.
 * PoC (javascript) – note the ‘; #’ in the year parameter:
    WPA.Ajax.getEvents({
   year: ‘2017 ORDER by e.date DESC; #’}, function(result) { if(result && result.
   results) { WPA.Events.printEvents(result.results); } });

The topic ‘SQL injection vulerability’ is closed to new replies.

 * ![](https://s.w.org/plugins/geopattern-icon/wp-athletics_ab6242.svg)
 * [WP Athletics](https://wordpress.org/plugins/wp-athletics/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/wp-athletics/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/wp-athletics/)
 * [Active Topics](https://wordpress.org/support/plugin/wp-athletics/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/wp-athletics/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/wp-athletics/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [pwoo](https://wordpress.org/support/users/pwoo/)
 * Last activity: [9 years, 1 month ago](https://wordpress.org/support/topic/sql-injection-vulerability/)
 * Status: not a support question