Getting started with WordPress get_bloginfo()Enqueuing scripts Making network requests with HTTP API Enqueuing Styles home_url()Custom Post Types template_include The Loop (main WordPress loop)AJAX The $wpdb Object Actions and Filters wp_get_current_user()Add/remove contact info for users with user_contactmethods filter hook Creating a custom template Customizer Hello World Customizer Basics (Add Panel, Section, Setting, Control)The Admin Bar (aka "The Toolbar")Querying posts Alternating main loop (pre_get_posts filter)Shortcode Create a Post Programmatically get_template_part()Taxonomies get_template_part()Shortcodes Post Formats Custom exerpts with excerpt_length and excerpt_more Plugin development Security in WordPress - Escaping Template hierarchy Remove Version from Wordpress and Stylesheets Child Theme Basics add_action()get_template_part()Shortcode with attribute Sidebars Security in WordPress - Sanitization init Create Template for Custom Post Type Function: add_action()Add Shortcode How Can I integrate Markdown editor with Advance Custom Field's repeater Add-on.Installation and Configuration wp_get_current_user()WP-Cron Secure your installation Options API Function : wp_trim_words()WP_Query() Loop Update WordPress Manually Themes WP-CLI Debugging add_menu_page()add_submenu_page()get_option()get_permalink()get_the_category()the_title()get_the_title()add_editor_style()add_theme_support()WordPress Plugin creation Run WordPress local with XAMPP Admin Dashboard Widgets Site Migration Meta Box Remove Auto Line Breaks From Content and Excerpt get_home_path()Wordpress theme and child-theme development REST API

Security in WordPress - Sanitization

Remarks:

Security should be always in mind when developing. Without security an app is open to various attacks such as SQL Injections, XSS, CSRF, RFI etc that can lead to serious problems.

Untrusted data comes from many sources (users, third party sites, your own database!, ...) and all of it needs to be validated both on input and output. (Sourse: WordPress Codex)

The data should be validated, sanitized or escaped depending the use and the purpose.

To validate is to ensure the data you've requested of the user matches what they've submitted. (Sourse: WordPress Codex)

Sanitization is a bit more liberal of an approach to accepting user data. We can fall back to using these methods when there's a range of acceptable input. (Sourse: Wordpress Codex)

To escape is to take the data you may already have and help secure it prior to rendering it for the end user. (Sourse: WordPress Codex)

Sanitize text field

$title = sanitize_text_field( $_POST['title'] );

Sanitize title

The returned value is intended to be suitable for use in a URL, not as a human-readable title. Use sanitize_text_field instead.

$new_url = sanitize_title($title);

Sanitize email

$sanitized_email = sanitize_email('     [email protected]!     ');

Sanitize html class

$post_class = sanitize_html_class( $post->post_title );
echo '<div class="' . $post_class . '">';

Sanitize file name

$incfile = sanitize_file_name($_REQUEST["file"]);
include($incfile . ".php");

Without sanitizing the file name an attacker could simple pass http://attacker_site/malicous_page as input and execute whatever code in your server.

Sanitize user name

$user = sanitize_user("attacker username<script>console.log(document.cookie)</script>");

$user value after sanitize is "attacker username"

Syntax:

sanitize_text_field( string $str )
sanitize_title( string $title, string $fallback_title, string $context )
sanitize_email( string $email )
sanitize_html_class( string $class, string $fallback )
sanitize_file_name( string $name )
sanitize_user( string $username, boolean $strict )

Contributors

Topic Id: 6348

Example Ids: 21894,21895,21896,21897,21898,21899

This site is not affiliated with any of the contributors.