Изменение приведенного ниже кода для устранения уязвимости SQL путем экранирования пользовательских данных, передаваемых ⇐ Php

[Гость]

Looking for advice, and best practices for changing the code below, so that it isn't vulnerable to any SQL attacks.
Looking to do this by escaping user data passed to SQL queries, but not sure of the safest and best way to do this.
Looking for any suggestions on the above, for the code below:

Код: Выделить всё

    public static function sales_data_postback() {
if ( ! isset( $_REQUEST['sales_data'] ) )
return;

$data          = json_decode( stripslashes( $_POST['data'] ) );
$cart_contents = json_decode( stripslashes( $_POST['cart_contents'] ) );

//Unset purchase log ID, since we're inserting a new one.
$data = (array) $data;

unset( $data['id'] );

$purchase_log = wpsc_get_order( $data );
$purchase_log->save();
$purchase_log_id = $purchase_log->get( 'id' );

global $wpdb;

//We need to update the proper product ID, name and purchase ID
foreach ( $cart_contents as $cart_item ) {

$product = new WP_Query( array( 'post_type' => 'wpsc-product', 'pagename' =>     $cart_item->slug ) );
$product = $product->get_posts();
$product = $product[0];

$cart_item = ( array ) $cart_item;

unset( $cart_item['id'] );
unset( $cart_item['slug'] );

$cart_item['prodid']     = $product->ID;
$cart_item['name']       = $product->post_title;
$cart_item['purchaseid'] = $purchase_log_id;

$wpdb->insert( WPSC_TABLE_CART_CONTENTS, $cart_item );
}

die;
}

been looking at ways of safely escaping user data passed to sql queries.


Источник: https://stackoverflow.com/questions/781 ... -passed-to