Hello Friends,

Here we are going to discuss the prevention of sql injection problem in wordpress website. Suppose we have an option to search an user in our website now see what an unlawful user can do with this:

In search box an user can input like "Vivek Rastogi'; Drop table users";

Now you can see how your query will appear::

$first_name = "Vivek Rastogi'; Drop table users"; // $first_name is user input fields 
$sql = "Select * from employees where first_name = $first_name";
$wpdb->query($sql);

// see what query will run 
Select * from employees where first_name = Vivek Rastogi'; Drop table users; 
// you can see it will delete users table

To prevent this problem wordpress has solution as below::
$first_name = "Vivek Rastogi'; Drop table users"; // $first_name is user input fields
$sql = $wpdb->prepare('Select * from employees where first_name = %s;',array($firstname));

$results = $wpdb->get_results($sql);
$wpdb->prepare method is used for prevention.