php - Using Wordpress, can some one tell me the best way of sanitizing input? -
I am developing an application using Wordpress as a CMS.
I have many input fields that need to be cleaned before storing it in the database.
I want to stop SQL injection, javascript and PHP code injection and other harmful code. / P>
Currently I am using my method to process the data, but I think it would be better to use those functions that use WP.
I've looked into Wordpress, but I'm unsure at how much I should use these functions, and in what order nobody can tell that what's best to use WP functions is?
Currently I am "sanitizing" my input by doing the following:
-
Because the character with the accent (É, ô, æ, ø, a ) Is stored in a strange way in the database (although my table is set to
ENGINE = InnoDB
,DEFAULT CHARSET = utf8
andCOLLATE = utf8_danish_ci
), I am now changing the intent field, which can be accented using the harness (). -
When creating the SQL string to input data, I use
mysql_real_escape_string ()
.
I do not think it is enough to stop the attacks though. So suggestions for improvement are appreciated.
Input "synthesis" is bogus.
You should not try to save yourself from the trouble of injection by filtering (*) or escape, you should work with raw wire unless you put them in another context. . At that point, you need the right escaping function for that context, which is mysql_real_escape_string
and htmlspecialchars
for HTML output.
(Its adding functions like WordPress esc_html
, which is no different in theory.)
(*: Okay, the application- Except for specific requirements, such as checking an e-mail address is actually an e-mail address, it is advisable to ensure a password, and so on. Although there is a reasonable argument for filtering control characters on the input stage, This is rarely done.)
Now I Ut fields that is, that change can accent using HTMLentities ()
I would strongly recommend that you do not have to be raw text in your database; If you have encoded it as HTML, then you make it difficult to operate the database on columns, such as & lt; The non-ASCII characters are saved from
and "
. When you get data from the database and use it for any other reason than copy it into a page Now you have got fake HTML-escapes in the data. Do not do HTML-ASP unless you are writing text on the page till the last moment.
If you want to take non-ASCII characters in the database Trouble in, it's a different It is a matter of fact that you should first solve the problem of HTML-encoded data instead of going for the unprotected operation. Here are the appropriate UTF-8 about PHP and databases in adequate positions, but the main thing is to ensure that your HTML Output pages are working correctly as UTF-8 by using Content-Type
header / meta. Then set your MySQL connection to UTF-8, for example By yoga.
When creating the SQL string to input data, I use mysql_real_escape_string ().
Yes, it is co rrect . Unless you do this you are not weak against SQL injection. If you are at the end of the HTML-escaping template output end instead of the database, you may be may weaken for HTML-injection (due to XSS). Because any string has gone through the database not (such as received from $ _ GET
) will not be HTML-escaped.
Comments
Post a Comment