Rabin Shrestha: Data Validation and Sanitization in WordPress

  • 1,287 views
Uploaded on

 

More in: Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,287
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
12
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Data Validation And Sanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
  • 2. OverviewDefinitionsWhy Data Validation and Sanitization?Difference between Data Validation andSanitizationGolden rulesSome helper functions in codex
  • 3. DefinitionsData Validation: Data validation is to makesure that we receive what we expect to receivebefore saving it to database.Data Sanitization: Make the data sane beforeuse i.e. before storing to the database orechoing it to browsers(escaping)
  • 4. Why Validate and Sanitize Data?Hackers can inject various script (sqlinjection) or XSS(Cross-site Scripting)<script>alert(hacked)</script><script>alert(document.cookie)</script>
  • 5. Why Validate and Sanitize Data?Can break the output of the website •Use of single quote, double quote can break the outputSpread malware
  • 6. DifferenceData Validation: If the data is valid we acceptit if not we reject it.Data Sanitization: In contrast to datavalidation, sanitization don‟t reject the wholedata but strips the evil tags and encodes thetags before echoing it to browser.
  • 7. Still confused??
  • 8. Lets see this example Source: http://devotepress.com
  • 9. Remember Golden RuleRule no. 1: Never , Ever, Trust your usersRule no. 2: Validate/sanitize all inputs andescape all outputsRule no.3: Trust WordPress
  • 10. What does trust Wordpress mean?Functions like the_title(),the_permalink(),the_title_attribute(), the_content() are alreadyescaped by WordPress and are safe dependingupon context.But custom data are not safe e.gget_post_meta()
  • 11. Some helper Escaping functionsEsc_attr(): Escapes content to be containedinside HTML attributes e.g, title, rel etc. Encodes< > & “ „.Esc_textarea(): Encodes text for use inside<text area> element. Uses htmlspecialcharsfunction of PHP.
  • 12. Some helper Escaping functions contd..This text contain <scripttype="text/javascript">alert("XSS");</script>here!Esc_url(‘ $url’,(array)$protocols’): Sanitizesurl. Rejects url‟s that don‟t have one of theprovided whitelisted protocols.(defaulting to http,https, ftp, ftps, mailto, news, irc etc)
  • 13. Some helper Escaping functions contd..Esc_html():This function encodes < > & ” „(less than, greater than, ampersand, doublequote, single quote), letting the browser render itinstead of interpreting it.Esc_js(): Escape single quotes,htmlspecialchar “ < > &. Intended to be used ininline js. For example onclick=“do something”.
  • 14. Some helper input validating functionsIntval( $int ): Ensures the number is integer.Absint( $int ): Ensures the number is non-negative.Sanitize_text_field(): Strips out extra whitespace,tabs, line breaks and strips tags.
  • 15. Some helper input validating functions condt..Wp_kses_post(): Sanitize content for allowedHTML tags for post content.wp_kses($string, $allowed_html, $allowed_protocols):Only allowed html tags passed asargument are accepted.
  • 16. Some helper input validating functions condt..Is_email( $email ): Returns true if the emailaddress is valid.Esc_url_raw(): Escapes url that are to besaved to database.Note: Esc_url is intended for output purposewhile esc_url_raw is intented for databasestorage. Also esc_url doesnot encodes htmlentities.
  • 17. Sourceshttp://devotepress.com/coding/data-validation-sanitization-wordpress-1/http://devotepress.com/coding/data-validation-sanitization-wordpress-2/http://codex.wordpress.org/Data_Validationhttp://wordpress.tv/2011/09/07/mark-jaquith-jon-cave-brad-williams-plugin-security-showdown/
  • 18. Thank you!Any Questions?