Go Back   WarriorForum - Internet Marketing Forums > Warrior Support Forums > Programming Talk
Register Blogs FAQ Social Groups CalendarHelp Desk

Reply
 
Share
LinkBack Thread Tools
Old 02-10-2013, 06:07 PM   #1
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Security Advice Needed

I am creating a wordpress multiser or network site with forms on each blogs dashboard where the admin can enter content.

There are two textare boxes and one text input box in the form and it is being saved as post metadata using a _POST action.

What would you suggest I use to sanitize the data that is being saved? And, where would this sanitizing function go?

Thanks,

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Old 02-11-2013, 01:29 AM   #2
Software Product Creator
War Room Member
 
SteveSRS's Avatar
 
Join Date: May 2012
Location: NL & Peru & USA
Posts: 430
Blog Entries: 5
Thanks: 41
Thanked 146 Times in 83 Posts
Social Networking View Member's FaceBook Profile  View Member's Twitter Profile  View Member's YouTube Profile
Contact Info
Default Re: Security Advice Needed

Check out PDO it auto sanitizes (when used correctly!!)

SteveSRS is offline   Reply With Quote
Old 02-11-2013, 06:36 AM   #3
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Re: Security Advice Needed

Being one old non-coder, PDO looks to be way over my head.

I was reading the Wordpress Codex for update_post() and noted that it runs any submission through kses. Does update_meta() run data submitted through kses?

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Old 02-11-2013, 07:51 AM   #4
Senior Warrior Member
War Room Member
 
SteveJohnson's Avatar
 
Join Date: Apr 2007
Location: Caldwell, Idaho, USA.
Posts: 2,037
Thanks: 577
Thanked 1,389 Times in 846 Posts
Social Networking View Member's Twitter Profile 
Contact Info
Send a message via Yahoo to SteveJohnson
Default Re: Security Advice Needed

This page: Data Validation WordPress Codex discusses data validation in WP. There are a number of WP functions that will do what you need. Also, you should check the docs on WP nonces: WordPress Nonces WordPress Codex. Your form processing function verifies the nonce to ensure that whatever submitted the form data has the authority to do so.

Also, it sounds like you're trying to create a dashboard widget? If so, this page: Dashboard Widgets API WordPress Codex might help.

Quote:
Does update_meta() run data submitted through kses?
No, it does not. The only sanitization of data occurs when the UPDATE statement is prepared. You need to do your own validation first.
SteveJohnson is online now   Reply With Quote
Old 02-18-2013, 08:09 PM   #5
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Re: Security Advice Needed

Thanks Steve,

I've been struggling, trying to figure out what to do and am wondering if I could create a function and have the sanitize_meta function clean up things for me. Seems that is called when the update_meta function is called.

What you think?

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Old 02-18-2013, 11:24 PM   #6
Senior Warrior Member
War Room Member
 
SteveJohnson's Avatar
 
Join Date: Apr 2007
Location: Caldwell, Idaho, USA.
Posts: 2,037
Thanks: 577
Thanked 1,389 Times in 846 Posts
Social Networking View Member's Twitter Profile 
Contact Info
Send a message via Yahoo to SteveJohnson
Default Re: Security Advice Needed

The sanitize_meta function is just an empty hook, it doesn't do anything on its own. You build your own sanitizing filter (function) for a specific meta key, and run it by adding the filter to the sanitize_meta function. You would use this kind of filter most often when you're needing to validate/sanitize a custom field that a user would enter.

In your case, it would be easier to just build your filter into the function that saves the meta data.

Let's say you want to allow only the limited HTML that is allowed in a comment. It's as simple as this:

$meta_data = wp_kses_data( $_POST['meta_data'] );
update_post_meta( $post->ID, 'meta_key', $meta_data );

( Function Reference/wp kses data WordPress Codex )

It's kind of difficult to guide you without seeing exactly what you're doing.
SteveJohnson is online now   Reply With Quote
Old 02-19-2013, 05:20 PM   #7
Web Developer
 
Join Date: Mar 2011
Location: Ontario, Canada
Posts: 192
Thanks: 16
Thanked 25 Times in 24 Posts
Social Networking View Member's Twitter Profile  View Member's YouTube Profile
Default Re: Security Advice Needed

For my fields I use strip_tags and trim to make sure HTML tags are removed.
Is it text content that goes in the text fields?

lordspace is offline   Reply With Quote
Old 02-20-2013, 12:34 AM   #8
Software Product Creator
War Room Member
 
SteveSRS's Avatar
 
Join Date: May 2012
Location: NL & Peru & USA
Posts: 430
Blog Entries: 5
Thanks: 41
Thanked 146 Times in 83 Posts
Social Networking View Member's FaceBook Profile  View Member's Twitter Profile  View Member's YouTube Profile
Contact Info
Default Re: Security Advice Needed

lordspace that is def not enough for insertion in a database...

SteveSRS is offline   Reply With Quote
Old 02-20-2013, 09:10 AM   #9
Senior Warrior Member
War Room Member
 
SteveJohnson's Avatar
 
Join Date: Apr 2007
Location: Caldwell, Idaho, USA.
Posts: 2,037
Thanks: 577
Thanked 1,389 Times in 846 Posts
Social Networking View Member's Twitter Profile 
Contact Info
Send a message via Yahoo to SteveJohnson
Default Re: Security Advice Needed

Quote:
Originally Posted by SteveSRS View Post
lordspace that is def not enough for insertion in a database...
It is if you're using built-in WP routines to update the db, as Kirk is.
SteveJohnson is online now   Reply With Quote
Old 02-20-2013, 10:28 PM   #10
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Re: Security Advice Needed

Quote:
Originally Posted by SteveJohnson View Post
t's kind of difficult to guide you without seeing exactly what you're doing.
Sorry I've not answered sooner. I've been trying to understand Stripe (http://stripe.com)

I tried posting my code in here, but it appears I can't do the bbcode for code.

Okay if I PM you and send what I think is the pertinent code either privately or in an email?

I'm not sure whether to put the sanitize function in the functions.php or the include file. Take a look at the code and you'll see why ... one of the things I do is switch between blogs a bit.

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Old 02-20-2013, 10:30 PM   #11
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Re: Security Advice Needed

Quote:
Originally Posted by lordspace View Post
For my fields I use strip_tags and trim to make sure HTML tags are removed.
Is it text content that goes in the text fields?
Yes, it is text only for two textarea fields and numberic only for the text input box.

numberic?

I need to learn to spell when it is four hours past my old geezer bedtime.

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Old 02-21-2013, 10:46 AM   #12
Senior Warrior Member
War Room Member
 
SteveJohnson's Avatar
 
Join Date: Apr 2007
Location: Caldwell, Idaho, USA.
Posts: 2,037
Thanks: 577
Thanked 1,389 Times in 846 Posts
Social Networking View Member's Twitter Profile 
Contact Info
Send a message via Yahoo to SteveJohnson
Default Re: Security Advice Needed

Quote:
Originally Posted by Kirk Ward View Post
Sorry I've not answered sooner. I've been trying to understand Stripe (http://stripe.com)

I tried posting my code in here, but it appears I can't do the bbcode for code.

Okay if I PM you and send what I think is the pertinent code either privately or in an email?

I'm not sure whether to put the sanitize function in the functions.php or the include file. Take a look at the code and you'll see why ... one of the things I do is switch between blogs a bit.
Would be better if you were to supply the complete plugin or theme folder that you're working on, that lets me see everything in context. Just zip up the folder and send it in a pm to me (I think you can include files in PMs? Dunno for sure). I'll PM you my email addr to use if that won't work.
SteveJohnson is online now   Reply With Quote
Old 02-21-2013, 05:49 PM   #13
Grouchy Old Geezer
War Room Member
 
Kirk Ward's Avatar
 
Join Date: May 2006
Location: Ellijay, GA, USA. (Talk about being in the woods!)
Posts: 1,436
Thanks: 279
Thanked 62 Times in 47 Posts
Social Networking View Member's Twitter Profile 
Default Re: Security Advice Needed

Quote:
Originally Posted by SteveJohnson View Post
Would be better if you were to supply the complete plugin or theme folder that you're working on, that lets me see everything in context. Just zip up the folder and send it in a pm to me (I think you can include files in PMs? Dunno for sure). I'll PM you my email addr to use if that won't work.
I'd thank you two or three times if the WF software would let me.

Files sent.

"We are not here to sell a parcel of boilers and vats, but the potentiality of growing rich beyond the dreams of avarice."

Dr. Samuel Johnson (Presiding at the sale of Thrales brewery, London, 1781)
Kirk Ward is offline   Reply With Quote
Reply

  WarriorForum - Internet Marketing Forums > Warrior Support Forums > Programming Talk

Bookmarks

Tags
advice, needed, security

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -6. The time now is 05:54 PM.