Is code susceptible to SQL injection attacks?

$sql = "SELECT DISTINCT ID, post_title, post_password, comment_ID, comment_post_ID, comment_author, comment_author_email, comment_date_gmt, comment_approved, comment_type, comment_author_url, SUBSTRING(comment_content,1,70) AS com_excerpt FROM $wpdb->comments LEFT OUTER JOIN $wpdb->posts ON ($wpdb->comments.comment_post_ID = $wpdb->posts.ID) WHERE comment_approved = '1' AND comment_type = '' AND post_password = '' ORDER BY comment_date_gmt DESC LIMIT 5";

Presuming the $wpdb object is untouchable in the outdoors (that is generally true in Wordpress), I'd say you are safe using this query.

You actually only have to be worried about passing in almost any parameter received from an exterior source.

Wordpress offers several techniques to handle user input in queries. See

It is dependent on the couple of stuff that I can not see - or am not knowledgeable enough to understand in the code you've published. To become susceptible to SQL injection you have to be entering an unescaped string to your database. (EDIT: usually an unescaped, but user definable, string).

I am unable to see any place in your code that you have steered clear of the string. PHP provides a function with this: $string = mysql_real_escape_string($string) After which that string ought to be dependable within the database query.

So for instance, avoid using:

$name = $_GET['name'];
mysql_query("INSERT INTO table_name VALUES ('$name')");

Rather use:

$name = mysql_real_escape_string($_GET['name']);
mysql_query("INSERT INTO table_name VALUES ('$name')");

And also you "should" be protected to SQL Injection supplying that you will find no weaknesses inside the "mysql_real_escape_string" function.