SQL validation limitations

  • Resolved chelminski

    (@chelminski)


    3 months, 3 weeks ago

    Hello,

    I’m using Automator for WordPress and I’m running into a limitation related to the built-in SQL validation.

    When using actions that execute custom SQL, any query containing standard keywords like INSERT, UPDATE or DELETE is blocked with the message “Dangerous SQL keywords detected”. I fully understand the security rationale behind this, however in my case the SQL is fully controlled (no user input involved) and is used only for internal logging/synchronization within my own plugin / WordPress environment.

    I’d like to ask:

    Is there any official or supported way to relax or bypass this validation for trusted/internal use cases?

    Are there filters, hooks, or recommended patterns (other than rewriting everything to PHP + $wpdb) intended for advanced users?

    If not, is there a roadmap consideration for allowing developers to explicitly opt in to trusted SQL execution?

    At the moment, the only viable workaround seems to be executing all logic through custom PHP actions, which works but limits flexibility when designing Automator recipes.

    I’d really appreciate clarification on the intended approach for advanced / developer-level integrations.

    Thank you for your time and for the great plugin.

    Best regards,
    Dawid

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter chelminski

    (@chelminski)

    3 months, 2 weeks ago

    View post on imgur.com

    Plugin Support Rohan Pokharel

    (@24ron)

    3 months, 2 weeks ago

    Hi @chelminski,

    Sorry for the late response, and thank you for reporting this. You’re correct that the validation is overly aggressive. We’ve identified that the keyword detection uses simple string matching, which can falsely trigger on keywords appearing inside string values (like ‘user.create’ containing CREATE).

    As a workaround, please add this filter code to your child theme’s functions.php file or a code snippet plugin like WPCode.

    add_filter( 'automator_pro_sql_disallowed_keywords', function( $keywords ) {
        return array( 'DROP', 'ALTER', 'EXEC', 'TRUNCATE' );
    }, 10 );

    This customizes the blocked keywords to only the truly dangerous ones.

    We’re working on improving this by implementing proper SQL parsing that only detects dangerous keywords when they’re actual SQL commands, not within string literals. Let us know if this helps!

    Regards,
    Rohan

    Thread Starter chelminski

    (@chelminski)

    3 months, 2 weeks ago

    Hi,
    thank you so much.
    That was super helpful.

    Greetings,
    Dawid

Viewing 3 replies - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.