This is not the first time that WP Fastest Cache has had a SQL injection vulnerability discovered.<p>Here’s a report on 0.8.4.8:<p><a href="https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-fastest-cache-sql-injection-0-8-4-8/" rel="nofollow">https://www.acunetix.com/vulnerabilities/web/wordpress-plugi...</a><p>Here’s a report on 0.8.7.4:<p><a href="https://www.acunetix.com/vulnerabilities/web/wordpress-plugin-wp-fastest-cache-sql-injection-0-8-7-4/" rel="nofollow">https://www.acunetix.com/vulnerabilities/web/wordpress-plugi...</a><p>I could go on (all night) but I trust you all get the point. I have two questions.<p>First, at what point can we say “Emre, you’re really bad at writing code. There are lots of other jobs. Find another.”<p>Second and more importantly for the future of the web, how can we as an industry protect innocent users from projects like this?? This monstrosity has over 1 million active installs and the chuckle head doesn’t have a fucking clue how to write SQL.
That's a very obvious SQL injection, and a completely unnecessary one. I don't actually know how PHP handles this, but usually it's really not any more work to pass parameters as parameters and not concatenate them into the SQL string. And SQL injections are not an obscure or difficult to understand subject, it's probably the most obvious common security issue.<p>There are cases where it's more annoying to do stuff in plain SQL and where you'd have to concatenate strings. But this is not one of them, is a simple parameter that needs to be passed to the query.
I'm a little surprised there isn't a general purpose option inside Apache. I'd like to go into my .htaccess and say "Any GET request that matches this regex, please cache and serve future requests from the cache for x seconds."
(I'd set it to an hour normally and 6 hours if I'm on HN.)<p>That sort of thing would be perfect for WordPress and similar CMSs.
And that is why I have forbidden third party WP plugins at the company I work for - no exception.<p>There is only 1 plugin and it is the one we write our self which take care of caching and all custom needs. Each line of code in that plugin is double checked and properly tested before going in production.