0
0
Wordpressframework~20 mins

SQL injection prevention in Wordpress - Practice Problems & Coding Challenges

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf
Challenge - 5 Problems
🎖️
SQL Injection Prevention Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
🧠 Conceptual
intermediate
2:00remaining
Understanding SQL Injection Risks in WordPress

Which of the following best describes why using raw SQL queries with user input in WordPress is risky?

ABecause user input can contain malicious SQL code that changes the query behavior.
BBecause WordPress does not support SQL queries at all.
CBecause SQL queries are always slow and cause performance issues.
DBecause user input is automatically encrypted by WordPress.
Attempts:
2 left
💡 Hint

Think about what happens if a user types something unexpected into a search box.

component_behavior
intermediate
2:00remaining
Behavior of $wpdb->prepare() in WordPress

What does the $wpdb->prepare() function do when used with user input in WordPress?

AIt removes all user input from the query.
BIt executes the SQL query immediately without any changes.
CIt encrypts the user input before adding it to the query.
DIt safely escapes user input to prevent SQL injection by preparing the query with placeholders.
Attempts:
2 left
💡 Hint

Think about how placeholders work in SQL queries.

📝 Syntax
advanced
2:00remaining
Correct Usage of $wpdb->prepare()

Which of the following code snippets correctly uses $wpdb->prepare() to safely query posts by title?

A$wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = ?", $title);
B$wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = '$title'");
C$wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = %s", $title);
D$wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = %d", $title);
Attempts:
2 left
💡 Hint

Remember the placeholder types: %s for strings, %d for numbers.

🔧 Debug
advanced
2:00remaining
Identifying SQL Injection Vulnerability

Given the following WordPress code, what is the main security issue?

$title = $_GET['title'];
$query = "SELECT * FROM wp_posts WHERE post_title = '$title'";
$results = $wpdb->get_results($query);
Wordpress
$title = $_GET['title'];
$query = "SELECT * FROM wp_posts WHERE post_title = '$title'";
$results = $wpdb->get_results($query);
AThe code uses $wpdb->get_results() which is deprecated.
BThe code directly inserts user input into the SQL query without escaping, allowing SQL injection.
CThe variable $title is not defined before use.
DThe query uses double quotes which causes a syntax error.
Attempts:
2 left
💡 Hint

Look at how the variable $title is used inside the query string.

state_output
expert
3:00remaining
Output of a Prepared Query with Malicious Input

What will be the output of the following WordPress code if the user inputs "anything' OR '1'='1" as $title?

$title = "anything' OR '1'='1";
$query = $wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = %s", $title);
echo $query;
Wordpress
$title = "anything' OR '1'='1";
$query = $wpdb->prepare("SELECT * FROM wp_posts WHERE post_title = %s", $title);
echo $query;
ASELECT * FROM wp_posts WHERE post_title = 'anything\' OR \'1\'=\'1'
BSELECT * FROM wp_posts WHERE post_title = 'anything' OR '1'='1'
CSyntaxError due to unescaped quotes
DSELECT * FROM wp_posts WHERE post_title = %s
Attempts:
2 left
💡 Hint

Think about how $wpdb->prepare() escapes quotes inside strings.