Security Advice Needed I am creating a wordpress multiser or network site with forms on each blogs dashboard where the admin can enter content. There are two textare boxes and one text input box in the form and it is being saved as post metadata using a _POST action. What would you suggest I use to sanitize the data that is being saved? And, where would this sanitizing function go? Thanks, |
Re: Security Advice Needed Check out PDO it auto sanitizes (when used correctly!!) |
Re: Security Advice Needed Being one old non-coder, PDO looks to be way over my head. I was reading the Wordpress Codex for update_post() and noted that it runs any submission through kses. Does update_meta() run data submitted through kses? |
Re: Security Advice Needed This page: Data Validation « WordPress Codex discusses data validation in WP. There are a number of WP functions that will do what you need. Also, you should check the docs on WP nonces: WordPress Nonces « WordPress Codex. Your form processing function verifies the nonce to ensure that whatever submitted the form data has the authority to do so. Also, it sounds like you're trying to create a dashboard widget? If so, this page: Dashboard Widgets API « WordPress Codex might help. Quote:
|
Re: Security Advice Needed Thanks Steve, I've been struggling, trying to figure out what to do and am wondering if I could create a function and have the sanitize_meta function clean up things for me. Seems that is called when the update_meta function is called. What you think? |
Re: Security Advice Needed The sanitize_meta function is just an empty hook, it doesn't do anything on its own. You build your own sanitizing filter (function) for a specific meta key, and run it by adding the filter to the sanitize_meta function. You would use this kind of filter most often when you're needing to validate/sanitize a custom field that a user would enter. In your case, it would be easier to just build your filter into the function that saves the meta data. Let's say you want to allow only the limited HTML that is allowed in a comment. It's as simple as this: $meta_data = wp_kses_data( $_POST['meta_data'] ); update_post_meta( $post->ID, 'meta_key', $meta_data ); ( Function Reference/wp kses data « WordPress Codex ) It's kind of difficult to guide you without seeing exactly what you're doing. |
Re: Security Advice Needed For my fields I use strip_tags and trim to make sure HTML tags are removed. Is it text content that goes in the text fields? |
Re: Security Advice Needed lordspace that is def not enough for insertion in a database... |
Re: Security Advice Needed Quote:
|
Re: Security Advice Needed Quote:
I tried posting my code in here, but it appears I can't do the bbcode for code. Okay if I PM you and send what I think is the pertinent code either privately or in an email? I'm not sure whether to put the sanitize function in the functions.php or the include file. Take a look at the code and you'll see why ... one of the things I do is switch between blogs a bit. |
Re: Security Advice Needed Quote:
numberic? I need to learn to spell when it is four hours past my old geezer bedtime. |
Re: Security Advice Needed Quote:
|
Re: Security Advice Needed Quote:
Files sent. |
All times are GMT -6. The time now is 11:46 PM. |