Hi,
I appreciate your good intentions, but this is not an example of the security risk that you refer to. I want to be clear about this so that no one feels like they need to panic and deactivate the plugin.
For those who want to understand the technical reasoning for my answer:
- A security risk occurs where a parameter is inserted directly into the SQL without using placeholders. The SQL shown here does not use any parameters, it simply takes the top result from a list.
- The most recent version of WP raises a warning in this situation because the prepare function expects me to be using placeholders. It was not an issue in previous versions of WP. In the next release of my plugin, this will be fixed (I’ll simply execute the SQL directly rather than preparing). However, this is not a security risk and the warning only shows up when an admin has PHP warnings turned on, and even then only when viewing a preview via the settings page. There is no impact to end users.
Sorry if this seems a little long winded, and once again I do appreciate your good intentions, but I need to be clear on this.
Thanks,
Jacob
