How secure is your WordPress theme or plugin? Are you confident that you have protected yourself, your clients or your users against the most common hacks? Validating, sanitizing and escaping are techniques that are foundational to the security of your website, application or software product. Learn how WordPress makes it easy for you to secure your code and start writing better code today!

1. Sanitizing, Validating and Escaping
in WordPress Themes and Plugins
by Micah Wood
@wpscholar
wpscholar.com/wpyall2014

2. Sanitization
Cleaning user input

3. Sanitization Example

4. Sanitize Text Fields

5. Sanitize URL Slugs

6. Sanitize URLs

7. Sanitize Emails

8. Sanitize HTML Classes

9. Sanitize HTML

10. Other Sanitization Functions
• sanitize_file_name()
• sanitize_key()
• sanitize_mime_type()
• sanitize_sql_orderby()
• sanitize_title_for_query()
• sanitize_title_with_dashes()
• sanitize_user()

11. Validation
Checking user input

12. Validation Example

13. Data Type

14. Validate HTML

15. Validate Meta

16. Validate Capability

17. Validate Option

18. Validate Intention

19. Escaping
Securing output

20. Escape HTML Attributes

21. Escape HTML Attributes

22. Escape HTML

23. Escape HTML

24. Escape URLs

25. Escape Textareas

26. Escape Inline JavaScript

27. Escape SQL Queries
Permanent link to this comic: http://xkcd.com/327/

28. Escape SQL Queries

29. Escape SQL Queries

30. Escape SQL Queries

31. Escape SQL Queries

32. Escape SQL Queries

33. Tips
• Search for echo $ and echo get_
• Use VIP Scanner if you are creating a theme

34. Trust WordPress

35. Questions?