WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
•
2 likes•6,545 views
The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.
Recommended
Recommended
More Related Content
Similar to WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
Similar to WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011 (20)
Recently uploaded
Recently uploaded (20)
WordPress Plugin & Theme Security - WordCamp Melbourne - February 2011
- 1. Plugin & Theme Security http://johnford.is/ @iamjohnford
- 3. $wpdb->query( "UPDATE $wpdb->posts SET post_title = '$new_title' WHERE ID = $id" ); BAD
- 4. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'" ); BAD
- 5. $username = "' OR 1 -- "; $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'" ); BAD
- 6. $wpdb->query( "SELECT * FROM $wpdb->users WHERE user_login = '' OR 1 -- ' AND user_pass = '$password'" ); BAD
- 7. $wpdb->update() GOOD
- 8. $wpdb->update( $wpdb->posts, array( 'post_title' => $new_title ), array( 'ID' => $id ) ); GOOD
- 9. $wpdb->insert( $table, $data ); GOOD
- 10. $wpdb->prepare() GOOD
- 11. $wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id ); GOOD
- 12. http://codex.wordpress.org/ Function_Reference/ wpdb_Class
- 14. <h1> <?php echo $title; ?> </h1> BAD
- 15. $title = '<script>jsCode();</script>'; <h1> <?php echo $title; ?> </h1> BAD
- 16. <h1> <?php echo esc_html( $title ); ?> </h1> GOOD
- 17. esc_attr_e()
- 18. <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text </a> BAD
- 19. <?php $title = '" onmouseover="jsCode();'; ?> <a href="#wordcamp" title="<?php echo $title; ?>"> Link Text </a> BAD
- 20. <a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text </a> GOOD
- 21. esc_textarea() GOOD
- 24. <a href="<?php echo $url; ?>"> Link Text </a> BAD
- 25. <?php $url = 'javascript:jsCode();'; ?> <a href="<?php echo $url; ?>"> Link Text </a> BAD
- 26. <a href="<?php echo esc_url( $url ); ?>"> Link Text </a> GOOD
- 27. <form action="<?php echo $_SERVER['REQUEST_URI']; ?>"> BAD
- 28. <form action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>"> GOOD
- 29. <script> var foo = '<?php echo $unsafe; ?>'; </script> BAD
- 30. <script> var foo = '<?php echo esc_js( $unsafe ); ?>'; </script> GOOD
- 31. wp_filter_kses( $data ) GOOD
- 32. http://codex.wordpress.org/ Data_Validation
- 34. Nonces action-, object-, & user-specific time-limited secret keys
- 38. http://codex.wordpress.org/ WordPress_Nonces
- 39. eval() = evil
- 40. Thank you! http://johnford.is/ @iamjohnford