尊敬的i.1, 您好:
!
此致,
敬礼!
禄任辉 -2011-10-16-7:27:16
Oct 15, 2011
Oct 14, 2011
Key Differences Between Validation and Sanitization
Key Differences Between Validation and Sanitization 阅读原文»
VIP Services developer Daniel Bachhuber shares some tips on writing better code for your WordPress site:
Your code works, but is it safe? When writing code for a high-profile environment, you’ll need to be extra cautious of how you handle data coming into WordPress and how it’s presented to the end user. This commonly comes up when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.
There’s a distinction between how input and output are managed, however.
Validation: Checking User Input
To validate is to ensure the data you’ve requested of the user matches what they’ve submitted. There are several core methods you can use for input validation; usage obviously depends on the type of fields you’d like to validate. Let’s take a look at an example.
Say we have an input area in our form like this:
<input type="text" id="my-zipcode" name="my-zipcode" maxlength="5" />
Just like that, we’ve limited my user to five characters of input, but there’s no limitation on what they can input. They could enter “11221″ or “eval(“. If we’re saving to the database, there’s no way we want to give the user unrestricted write access.
This is where validation plays a role. When processing the form, we’ll write code to check each field for its proper data type. If it’s not of the proper data type, we’ll discard it. For instance, to check “my-zipcode” field, we might do something like this:
$safe_zipcode = intval( $_POST['my-zipcode'] ); if ( ! $safe_zipcode ) $safe_zipcode = ''; update_post_meta( $post->ID, 'my_zipcode', $safe_zipcode );
The intval() function casts user input as an integer, and defaults to zero if the input was a non-numeric value. We then check to see if the value ended up as zero. If it did, we’ll save an empty value to the database. Otherwise, we’ll save the properly validated zipcode.
This style of validation most closely follows WordPress’ whitelist philosophy: only allow the user to input what you’re expecting. Luckily, there’s a number of handy helper functionsyou can use for most every data type.
Sanitization: Escaping Output
For security on the other end of the spectrum, we have sanitization. To sanitize is to take the data you may already have and help secure it prior to rendering it for the end user. WordPress thankfully has a few helper functions we can use for most of what we’ll commonly need to do:
esc_html() we should use anytime our HTML element encloses a section of data we’re outputting.
<h4><?php echo esc_html( $title ); ?></h4>
esc_url() should be used on all URLs, including those in the ‘src’ and ‘href’ attributes of an HTML element.
<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />
esc_js() is intended for inline Javascript.
<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>
esc_attr() can be used on everything else that’s printed into an HTML element’s attribute.
<ul class="<?php echo esc_attr( $stored_class ); ?>">
It’s important to note that most WordPress functions properly prepare the data for output, and you don’t need to escape again.
<h4><?php the_title(); ?></h4>
Also, as there are always exceptions to the rule, there are a selection of user-submitted data that needs to be validated andsanitized. Freeform text areas would fall into this category. For this, you can run user data through sanitize_text_field() or any of the wp_kses_*() functions.
To recap:follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. If it’s not the proper type, discard it. Sanitize data as much as possible on output, and a selection needs to be sanitized on input too.
Hit us with your questions or tips in the comments.
Oct 13, 2011
gblog.stutimes.com - Did you receive this email sent to you last week ?
Did you receive the e-mail which we sent to you recently (copied here-below)?
Please confirm since I have had problems lately with emails intercepted by spam-filters set too high.
Cordially,
Martin Vermont, Ph.D.
martinvermont@languageseo.net
I am Dr. Martin Vermont and I work for Multilingual Search Engine Optimization Inc. in Washington DC (Tel: 1-202-558-2504) - I would like to speak with the person in charge of your international clientele. Who is my contact? Who should I speak to??
In fact, after visiting gblog.stutimes.com , I have noticed that your website cannot be found on foreign search engines (I tested it on Hispanic search engines, German search engines, Asian search engines, etc.) Our company is specialized in multilingual search engine promotions in 28 languages . From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, we can show you how to develop a true international online presence by promoting your website on foreign search engines.
Let us show you how to develop a presence on the multilingual web without having to translate your website: It is not necessary to translate your website in order to submit to foreign search engines, however, you need to have at least 1 page in Japanese optimized with Japanese keywords and meta tags in order to submit to Japanese search engines, at least 1 page in Spanish optimized with Spanish keywords in order to submit to Hispanic search engines and so on...
I strongly suggest that you watch our online presentation which explains clearly how to get top rankings on foreign search engines with only 1 entry page per language (click on the following link or copy-paste it into your web browser): http://www.languageseo.net/demo
From the Japanese Google to the German Yahoo, from the AOL in Spanish to the MSN in Chinese, get users to find your website when searching with YOUR KEYWORDS in their Native language.
Please call me at +1 (202) 558-2504 or email me and let's work on giving your website the true international exposure which it deserves to have with foreign native online users!!
Regards,
Martin Vermont, Ph.D.
martinvermont@languageseo.net
Multilingual Search Engine Optimization Inc.
1250 Connecticut Ave N.W. Suite 200
Washington, DC 20036 USA
TEL: +1 (202) 558-2504 - FAX: 1 (202)-318-4779
http://www.languageseo.net
Multilingual Search Engine Promotion Services since 1999.
Oct 12, 2011
Oct 11, 2011
Oct 10, 2011
WordPress 3.3 Beta 1
WordPress 3.3 Beta 1 阅读原文»
WordPress 3.3 is ready for beta testers.
As always, this is software still in development andwe don't recommend that you run it on a production site― set up a test site just to play with the new version. If you break it (find a bug), please report it, and if you're a developer, try to help us fix it.
If all goes well, we hope to release WordPress 3.3 by the end of November. The more help we get with testing and fixing bugs, the sooner we will be able to release the final version. If you want to be a beta tester, you should check out the Codex article onhow to report bugs.
Here's some of what's new:
- Media uploader
- Improved admin bar
- Fly out admin menus
Remember, if you find something you think is a bug, report it! You can bring it up in thealpha/beta forum, you can email it to thewp-testers list, or if you've confirmed that other people are experiencing the same bug, you can report it on theWordPress Core Trac. (We recommend starting in the forum or on the mailing list.)
Theme and plugin authors, if you haven't been following the 3.3 development cycle,please start nowso that you can update your themes and plugins to be compatible with the newest version of WordPress.
And now, haiku.
Features almost done…
3.3 at Beta 1.
Test it now — have fun!
Oct 9, 2011
Subscribe to:
Posts (Atom)