Facebook Twitter Gplus LinkedIn RSS
 
 
Home » Blog » WordPress SQL Injections & Fixing Your Themes

WordPress SQL Injections & Fixing Your Themes

Published on October 6th, 2013

With the update to WordPress 3.5, which happened quite a while ago, a number of popular themes (and some unpopular ones) started displaying the php warnings.

Missing argument 2 for wpdb::prepare(), called in /wp/wp-content/themes/piano-black/sidebar.php on line 75 and defined

In my case, the theme makers don’t speak English, so I’m stuck fixing this baby myself. Piano-black is the name of the theme that I’m using on my old video game blog, which doesn’t get updated much, since I no longer correspond for IGN, sadly.

Any good programmer knows, you need to prepare your queries to avoid nasty little SQL injections. The easiest way to fall victim is to plug a variable right into a SQL statement. A clever and nefarious hacker can very easy put something unintended in that variable, and exploit your code to access the underlining database. This wouldn’t be good.

As shown in the above error, the problem has to do with the incorrect usage of the wpdb::prepare() function. Take this following example:

1
$wpdb->prepare("SELECT * FROM list WHERE ID = %d", $id)
$wpdb->prepare("SELECT * FROM list WHERE ID = %d", $id)

Notice how the %d is a reference to the $id variable. This is important so that the prepare function actually parses your variable before putting it into the SQL statement. Here is the WRONG way of using wpdb::prepare():

1
$wpdb->prepare("SELECT * FROM list WHERE ID = $id")
$wpdb->prepare("SELECT * FROM list WHERE ID = $id")

Since the function is always expecting TWO parameters at a minimum, it is now throwing errors to warn developers of a potential security risk. The downside is that it is also showing potential hackers exactly where your code can be exploited. It’s a double-edged sword that must be fixed as soon as possible. However, if you need to buy yourself time, add the following code to your wp-config.php file:

1
@ini_set('display_errors', 0);
@ini_set('display_errors', 0);

Please understand, this only hides the errors until you can fix them. It does NOT fix the errors. If you leave them, and find yourself hacked, don’t blame me!

About the Author: Sprawl

Stephen Russell is a Mobile App developer and all around IT geek that spends his days running data centers and his nights coding. This site is the go to place for all of zSprawl’s work and the infamous development blog. In his free time, he enjoys tinkering with web code, playing video games, and otherwise plotting to take over the Internets.


 

Leave a Reply

© 2012 zSprawl's zApps

Fork me on GitHub