Your SlideShare is downloading. ×
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011

2,205

Published on

The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.

The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,205
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Plugin & ThemeSecurity http://johnford.is/ @iamjohnford
  • 2. SQLInjection
  • 3. $wpdb->query( "UPDATE $wpdb->posts SET post_title = $new_title WHERE ID = $id"); BAD
  • 4. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  • 5. $username = " OR 1 -- ";$wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = $username AND user_pass = $password"); BAD
  • 6. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = OR 1 -- AND user_pass = $password"); BAD
  • 7. $wpdb->update() GOOD
  • 8. $wpdb->update( $wpdb->posts, array( post_title => $new_title ), array( ID => $id )); GOOD
  • 9. $wpdb->insert( $table, $data ); GOOD
  • 10. $wpdb->prepare() GOOD
  • 11. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id); GOOD
  • 12. http://codex.wordpress.org/ Function_Reference/ wpdb_Class
  • 13. XSSCross-siteScripting
  • 14. <h1> <?php echo $title; ?></h1> BAD
  • 15. $title = <script>jsCode();</script>;<h1> <?php echo $title; ?></h1> BAD
  • 16. <h1> <?php echo esc_html( $title ); ?></h1> GOOD
  • 17. esc_attr_e()
  • 18. <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  • 19. <?php $title = " onmouseover="jsCode();; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a> BAD
  • 20. <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a> GOOD
  • 21. esc_textarea() GOOD
  • 22. <a href="<?php echo $url; ?>"> Link Text</a> BAD
  • 23. <?php $url = javascript:jsCode();; ?><a href="<?php echo $url; ?>"> Link Text</a> BAD
  • 24. <a href="<?php echo esc_url( $url ); ?>"> Link Text</a> GOOD
  • 25. <form action="<?php echo $_SERVER[REQUEST_URI]; ?>"> BAD
  • 26. <form action="<?php echo esc_url( $_SERVER[REQUEST_URI] ); ?>"> GOOD
  • 27. <script> var foo = <?php echo $unsafe; ?>;</script> BAD
  • 28. <script> var foo = <?php echo esc_js( $unsafe ); ?>;</script> GOOD
  • 29. wp_filter_kses( $data ) GOOD
  • 30. http://codex.wordpress.org/ Data_Validation
  • 31. CSRFCross-site Request Forgery
  • 32. Noncesaction-, object-, & user-specific time-limited secret keys
  • 33. wp_nonce_field( plugin-action_object ) GOOD
  • 34. check_admin_referer( plugin-action_object ) GOOD
  • 35. http://codex.wordpress.org/ WordPress_Nonces
  • 36. eval() = evil
  • 37. Thank you! http://johnford.is/ @iamjohnford

×