php - Using Wordpress, can some one tell me the best way of sanitizing input? -

-

I am developing an application using Wordpress as a CMS.

I have many input fields that need to be cleaned before storing it in the database.
I want to stop SQL injection, javascript and PHP code injection and other harmful code. / P>

Currently I am using my method to process the data, but I think it would be better to use those functions that use WP.

I've looked into Wordpress, but I'm unsure at how much I should use these functions, and in what order nobody can tell that what's best to use WP functions is?

Currently I am "sanitizing" my input by doing the following:

  1. Because the character with the accent (É, ô, æ, ø, a ) Is stored in a strange way in the database (although my table is set to ENGINE = InnoDB , DEFAULT CHARSET = utf8 and COLLATE = utf8_danish_ci ), I am now changing the intent field, which can be accented using the harness ().

  2. When creating the SQL string to input data, I use mysql_real_escape_string () .

I do not think it is enough to stop the attacks though. So suggestions for improvement are appreciated.

Input "synthesis" is bogus.

You should not try to save yourself from the trouble of injection by filtering (*) or escape, you should work with raw wire unless you put them in another context. . At that point, you need the right escaping function for that context, which is mysql_real_escape_string and htmlspecialchars for HTML output.

(Its adding functions like WordPress esc_html , which is no different in theory.)

(*: Okay, the application- Except for specific requirements, such as checking an e-mail address is actually an e-mail address, it is advisable to ensure a password, and so on. Although there is a reasonable argument for filtering control characters on the input stage, This is rarely done.)

Now I Ut fields that is, that change can accent using HTMLentities ()

I would strongly recommend that you do not have to be raw text in your database; If you have encoded it as HTML, then you make it difficult to operate the database on columns, such as & lt; The non-ASCII characters are saved from and ". When you get data from the database and use it for any other reason than copy it into a page Now you have got fake HTML-escapes in the data. Do not do HTML-ASP unless you are writing text on the page till the last moment.

If you want to take non-ASCII characters in the database Trouble in, it's a different It is a matter of fact that you should first solve the problem of HTML-encoded data instead of going for the unprotected operation. Here are the appropriate UTF-8 about PHP and databases in adequate positions, but the main thing is to ensure that your HTML Output pages are working correctly as UTF-8 by using Content-Type header / meta. Then set your MySQL connection to UTF-8, for example By yoga.

When creating the SQL string to input data, I use mysql_real_escape_string ().

Yes, it is co rrect . Unless you do this you are not weak against SQL injection. If you are at the end of the HTML-escaping template output end instead of the database, you may be may weaken for HTML-injection (due to XSS). Because any string has gone through the database not (such as received from $ _ GET ) will not be HTML-escaped.


Comments

Post a Comment

Popular posts from this blog

oracle - The fastest way to check if some records in a database table? -

-
I have a big table to work with. I have to see that there are some records whose parent_id is equal to my passing value. Currently I do this by implementing "my_table using select count (*) where parent_id =: id"; If the result> 0, it means that they exist. Because this is a very large table, and I do not care what the actual number of records present, I just want to know if it exists, so I think count (*) Bit is disabled. How do I apply this requirement most quickly? I'm using Oracle 10. # Tips for Hibernation & amp; Tricks It suggests writing in such a way: Integer number = (integer) session .createQuery ("Select Count (*) to ...."). UniqueResult (); I do not know what is the magic of the unique rule? Why does it fast? To compare, select "1 from mytable where parent_id = passId and rowrum", which is more efficient? If you are not interested in the number of records, then there is an EXISTS query one: Select 'y'
Read more

php - multilevel menu with multilevel array -

-
Just ask someone to solve this problem? I want to create a multilevel menu I can not find the right solution generated with multilevel array, it always gets an array_push error My study came from the original idea But still my Can not match the need. This is my MySQL [code] ----- --------------------- --------------- | ID | PARENT_ID | Name | Link | Seq | 1 | 0 | Dashboad | Dashboard / | 1 | 2 | 0 | Menu 1 | Menu 1 / | 2 | 3 | 0 | Menu 2 | Menu 2 / | 3 | 4 | 0 | Menu 3 | Menu 3 / | 4 | 5 | 2 | Joint Add / | 1 | 6 | 3 | Joint Add / | 1 | 7 | 2 | Edit | Edit / | 2 | 8 | 4 | Joint Add / | 1 ------------------------------------------ [/ Code] I want to do something like this in my array array ('dashboard' = & gt; array ('id' = & gt; '' 'Dame' = & gt; 'Dashboard', 'Title' = & gt; 'Dashboard', 'MatchMin' = & gt; Base_URL (). 'Dashboard /', 'Active' => = & Gt; NULL), &
Read more

jQuery UI: Datepicker month format -

-
I am trying to change the format of the month that shows in the popup (not in the date that the picker actually I do not have any choice anywhere to do this, do I like to use a sub-string () or something else? What I normally display is Trying to change: Class = "ui-datepicker-title"> January & lt; / span & gt; ... & lt; / div & gt; Div>
Read more