Skip to main content

Key Differences Between Validation and Sanitization

Key Differences Between Validation and Sanitization  阅读原文»

VIP Services developer Daniel Bachhuber shares some tips on writing better code for your WordPress site:

Your code works, but is it safe? When writing code for a high-profile environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. This commonly comes up when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.

There’s a distinction between how input and output are managed, however.

Validation: Checking User Input

To validate is to ensure the data you’ve requested of the user matches what they’ve submitted. There are several core methods you can use for input validation; usage obviously depends on the type of fields you’d like to validate. Let’s take a look at an example.

Say we have an input area in our form like this:

<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />

Just like that, we’ve limited my user to five characters of input, but there’s no limitation on what they can input. They could enter “11221″ or “eval(“. If we’re saving to the database, there’s no way we want to give the user unrestricted write access.

This is where validation plays a role. When processing the form, we’ll write code to check each field for its proper data type. If it’s not of the proper data type, we’ll discard it. For instance, to check “my-zipcode” field, we might do something like this:

$safe_zipcode = intval( $_POST['my-zipcode'] ); if ( ! $safe_zipcode ) $safe_zipcode = ''; update_post_meta( $post->ID, 'my_zipcode', $safe_zipcode );

The intval() function casts user input as an integer, and defaults to zero if the input was a non-numeric value. We then check to see if the value ended up as zero. If it did, we’ll save an empty value to the database. Otherwise, we’ll save the properly validated zipcode.

This style of validation most closely follows WordPress’ whitelist philosophy: only allow the user to input what you’re expecting. Luckily, there’s a number of handy helper functionsyou can use for most every data type.

Sanitization: Escaping Output

For security on the other end of the spectrum, we have sanitization. To sanitize is to take the data you may already have and help secure it prior to rendering it for the end user. WordPress thankfully has a few helper functions we can use for most of what we’ll commonly need to do:

esc_html() we should use anytime our HTML element encloses a section of data we’re outputting.

<h4><?php echo esc_html( $title ); ?></h4>

esc_url() should be used on all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

esc_js() is intended for inline Javascript.

<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>

esc_attr() can be used on everything else that’s printed into an HTML element’s attribute.

<ul class="<?php echo esc_attr( $stored_class ); ?>">

It’s important to note that most WordPress functions properly prepare the data for output, and you don’t need to escape again.

<h4><?php the_title(); ?></h4>

Also, as there are always exceptions to the rule, there are a selection of user-submitted data that needs to be validated andsanitized. Freeform text areas would fall into this category. For this, you can run user data through sanitize_text_field() or any of the wp_kses_*() functions.

To recap:follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. If it’s not the proper type, discard it. Sanitize data as much as possible on output, and a selection needs to be sanitized on input too.

Hit us with your questions or tips in the comments.


该邮件由 QQ邮件列表 推送。
如果您不想继续收到该邮件,可点此 退订


Popular posts from this blog

How to find ideas to post new article in your blog

How to find ideas to post new article in your blog    阅读原文»   It is true that sometimes being a blogger may face situations where I would personally like to call it your brain juices got dried up as you have pretty much ran out of topic to blog and you are in crisis as your readers are anxiously waiting for your new posts but you are unable to give in. That’s when you will probably come with excuses like I just posted last week although that post was more directly towards the newbies who stop themselves from making money but it’s still pretty much the same even though you consider yourself not a newbie. The fact is that ideas are everywhere and I mean everywhere if you know where to find it and know how to leverage it. You may be surprised that sometimes these ideas are just right in front of you but you are not observant enough to convert these ideas and turn it into your blog post. Today I will share some tips on where to get these ideas and most of it is part of your dai

Over A Year After Android Launch, ShopSavvy Finally Comes To The iPhone

ShopSavvy was one of the best early Android applications. It launched in October of last year after winning one of the initial Android Developer Challenge top prizes (when it was still known as GoCart). But despite the success it has seen on Android, one question remained: When would it be available for the iPhone. Today, it finally is. Developed by the guys at Big In Japan , ShopSavvy is an app that allows you to use your device as a portable barcode scanner. You point your phone's camera at any barcode and it will read it, do a product look up, and give you information about the product, as well as where you can find it online or at nearby stores and for how much. Obviously, something like this is a window shopper's dream. ShopSavvy was one of the best early Android applications. It launched in October of last year after winning one of the initial Android Developer Challenge top prizes (when it was still known as GoCart). But despite the success it has seen on Android, o

部门心脏?您好!!              生产计划与物料控制PMC高级研修班 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 课程背景: 生产计划和物料控制(PMC)部门是一个企业"心脏", 掌握着企业生产及物料运作的总调度 和命脉,统筹营运资金、物流、信息等动脉,直接涉及影响生产部、生产工程部、采购、货仓、品 控部、开发与设计部、设备工程、人力资源及财务成本预算控制等,其制度和流程决定公司盈利成 败.因此PMC部门和相关管理层必须充分了解:物料计划、请购、物料调度、物料控制(收、发、退、 借、备料等)、生产计划与生产进度控制,并谙熟运用这门管理技术来解决问题,学习拉动计划价 值流(VSM)图,从拉动计划价值流切入剖析工厂制造成本和缩短制造周期 ,提高物流过程循环效 率(库存、资金的周转率)及客户满意率;为降低或消除物流过程中的非增值活动. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 课程目标: 1、建立制定完善的生产与物控运作体系?提升准时交货和降低库存成本 2、预测及制定合理的短、中、长期销售计划?达成公司策略管理目标 3、对自身的生产能力负荷预先进行详细分析并建立完善产品数据机制协助公司建立产品工程数据 4、生产前期做好完整的生产排程和周生产计划?提高备料准确率,保持生产顺畅 5、配合生产计划做到良好物料损耗控制和备料?完善降低物料损耗机制和停工待料工时 6、对生产进度及物料进度及时跟进和沟通协调?缩短生产周期,提高企业竞争力 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 报名详情: 培训时间:2012年11月 3- 4深圳 11月15-16上海 11月22-23北京 12月 1- 2广州 承办单位:新 活 力 顾 问 培训对象:生产计划部门、物料计划部门、采购部门、 生产部门、销售部门、物流、研发部门、 PIE、IT 培训费用:3200元/人(包括资料费、午餐及上下午茶点等) 报名热线:400-623-8399 (免长途话费) 电邮: QQ:120915