All posts tagged Data Sanitization

WordPress Plugin and Theme Security

by Ian Dunn

Mark Jaquith recently gave a good presentation on writing secure WordPress themes and plugins at Wordcamp Phoenix 2011. The notes are also available. The main points are: Protect against SQL Injection by using the API whenever possible (because it automatically handles data sanitization). If the API can’t do what you need, use $wpdb->prepare(). Protect against Cross-site Scripting by sanitizing any output with esc_html(), esc_url(),… [more]

Making Coding Mistakes Obvious

by Ian Dunn

Joel Spolsky wrote an interesting article on ways to¬† make coding mistakes obvious , like using semantic¬†prefixes on variable names. If you have unfiltered data from the user, you can make the variable something like $usFoo so that you always remember that the data is unsafe, and won’t output it unfiltered (therefore preventing malicious code injection).