Is this code vulnerable to SQL injection attacks?

Is this code vulnerable to SQL injection attacks?

$sql = "SELECT DISTINCT ID, post_title, post_password, comment_ID, comment_post_ID, comment_author, comment_author_email, comment_date_gmt, comment_approved, comment_type, comment_author_url, SUBSTRING(comment_content,1,70) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID = $wpdb->posts.ID开发者_如何学运维) WHERE comment_approved = '1' AND comment_type = '' AND post_password = '' ORDER BY comment_date_gmt DESC LIMIT 5";

Assuming the $wpdb object is untouchable from the outside (which is generally true in Wordpress), I'd say you're safe with this particular query.

You really only need to worry about passing in any parameter received from an external source.

Wordpress offers several methods for handling user input in queries. See http://codex.wordpress.org/Data_Validation#Database

It depends on a few things that I can't see - or am not knowledgeable enough to know from the code you've posted. To be vulnerable to SQL injection you must be entering an unescaped string into your database. (EDIT: usually an unescaped, but user definable, string).

I cannot see anywhere in your code that you've escaped the string. PHP offers a function for this: $string = mysql_real_escape_string($string); And then that string should be safe to use in the database query.

So for example, don't use:

$name = $_GET['name'];
mysql_query("INSERT INTO table_name VALUES ('$name')");

Instead use:

$name = mysql_real_escape_string($_GET['name']);
mysql_query("INSERT INTO table_name VALUES ('$name')");

And you "should" be protected to SQL Injection providing that there are no vulnerabilities within the "mysql_real_escape_string" function.