Use `$wpdb->prepare` for dynamic WordPress SQL | Critiq Docs

#Metadata

Rule ID: php.security.wordpress-unprepared-sql
Severity: high
Confidence: 0.9
Languages: php
Presets: security, strict
Stability: stable
Applies to: block
Tags: php, rules-catalog, security, sql-injection, wordpress

#Why it matters

Dynamic SQL without `$wpdb->prepare` enables injection and unauthorized data access/manipulation.

#Remediation

Build SQL through `$wpdb->prepare` placeholders and sanitize scalar inputs before passing them to query execution calls.

#Repository path

The generated metadata points to critiq-rules/libs/rules/catalog/rules/php/php.security.wordpress-unprepared-sql.rule.yaml.

Back to directory Open rule in repository