Uploaded bywpnepal
1,864 views

Rabin Shrestha: Data Validation and Sanitization in WordPress

This document discusses data validation and sanitization. It defines data validation as ensuring received data matches expectations before saving to a database, while data sanitization strips harmful tags from data before displaying. Validating and sanitizing is important for security against attacks like SQL injection. Functions like esc_attr() and esc_url() can help sanitize outputs, while intval() and sanitize_text_field() validate inputs. Golden rules are to never trust users and validate/sanitize all inputs and escape all outputs.

Embed presentation

Downloaded 17 times
Data Validation And Sanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
Overview Definitions Why Data Validation and Sanitization? Difference between Data Validation and Sanitization Golden rules Some helper functions in codex
Definitions Data Validation: Data validation is to make sure that we receive what we expect to receive before saving it to database. Data Sanitization: Make the data sane before use i.e. before storing to the database or echoing it to browsers(escaping)
Why Validate and Sanitize Data? Hackers can inject various script (sql injection) or XSS(Cross-site Scripting) <script>alert('hacked')</script> <script>alert(document.cookie)</script>
Why Validate and Sanitize Data? Can break the output of the website •Use of single quote, double quote can break the output Spread malware
Difference Data Validation: If the data is valid we accept it if not we reject it. Data Sanitization: In contrast to data validation, sanitization don‟t reject the whole data but strips the evil tags and encodes the tags before echoing it to browser.
Still confused??
Lets see this example Source: http://devotepress.com
Remember Golden Rule Rule no. 1: Never , Ever, Trust your users Rule no. 2: Validate/sanitize all inputs and escape all outputs Rule no.3: Trust WordPress
What does trust Wordpress mean? Functions like the_title(),the_permalink(), the_title_attribute(), the_content() are already escaped by WordPress and are safe depending upon context. But custom data are not safe e.g get_post_meta()
Some helper Escaping functions Esc_attr(): Escapes content to be contained inside HTML attributes e.g, title, rel etc. Encodes < > & “ „. Esc_textarea(): Encodes text for use inside <text area> element. Uses htmlspecialchars function of PHP.
Some helper Escaping functions contd.. This text contain <script type="text/javascript">alert("XSS");</script> here! Esc_url(‘ $url’,(array)$protocols’): Sanitizes url. Rejects url‟s that don‟t have one of the provided whitelisted protocols.(defaulting to http, https, ftp, ftps, mailto, news, irc etc)
Some helper Escaping functions contd.. Esc_html():This function encodes < > & ” „ (less than, greater than, ampersand, double quote, single quote), letting the browser render it instead of interpreting it. Esc_js(): Escape single quotes, htmlspecialchar “ < > &. Intended to be used in inline js. For example onclick=“do something”.
Some helper input validating functions Intval( $int ): Ensures the number is integer. Absint( $int ): Ensures the number is non- negative. Sanitize_text_field(): Strips out extra white space,tabs, line breaks and strips tags.
Some helper input validating functions condt.. Wp_kses_post(): Sanitize content for allowed HTML tags for post content. wp_kses($string, $allowed_html, $allowed_ protocols):Only allowed html tags passed as argument are accepted.
Some helper input validating functions condt.. Is_email( $email ): Returns true if the email address is valid. Esc_url_raw(): Escapes url that are to be saved to database. Note: Esc_url is intended for output purpose while esc_url_raw is intented for database storage. Also esc_url doesnot encodes html entities.
Sources http://devotepress.com/coding/data-validation- sanitization-wordpress-1/ http://devotepress.com/coding/data-validation- sanitization-wordpress-2/ http://codex.wordpress.org/Data_Validation http://wordpress.tv/2011/09/07/mark-jaquith- jon-cave-brad-williams-plugin-security- showdown/
Thank you! Any Questions?

More Related Content

PDF
New Features of JSR 317 (JPA 2.0)
byMarkus Eisele
 
PPTX
01 session tracking
bydhrubo kayal
 
PPTX
Time-Based Blind SQL Injection
bymatt_presson
 
DOCX
Types of sql injection attacks
byRespa Peter
 
PDF
10 Rules for Safer Code
byQuang Ngoc
 
PPTX
Presentation
bySantosh Kumar
 
PDF
70562 (1)
byPragya Rastogi
 
PDF
Dependency rejection and TDD without Mocks
byAntya Dev
 
New Features of JSR 317 (JPA 2.0)
byMarkus Eisele
 
01 session tracking
bydhrubo kayal
 
Time-Based Blind SQL Injection
bymatt_presson
 
Types of sql injection attacks
byRespa Peter
 
10 Rules for Safer Code
byQuang Ngoc
 
Presentation
bySantosh Kumar
 
70562 (1)
byPragya Rastogi
 
Dependency rejection and TDD without Mocks
byAntya Dev
 

What's hot

PDF
Sql Injection and XSS
byMike Crabb
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
Intro to Core Data
byMake School
 
PPTX
Sql Injection and Entity Frameworks
byRich Helton
 
PPTX
Sql Injection V.2
byTjylen Veselyj
 
PDF
2nd-Order-SQLi-Josh
byJoshua S. Clark, CISSP
 
PDF
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
PDF
SQL Injection Tutorial
byMagno Logan
 
PDF
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
PPT
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
PPT
Sql injection
byPallavi Biswas
 
PPTX
Using MongoDB with the .Net Framework
byStefano Paluello
 
PPTX
Test Data Builder Pattern
byAlan Parkinson
 
PPTX
Android Training (Storing & Shared Preferences)
byKhaled Anaqwa
 
PPT
Jsp intro
byhusnara mohammad
 
PPTX
Greensql2007
byKaustav Sengupta
 
PPTX
Retrofit Web Forms with MVC & T4
bysoelinn
 
ODT
Sql injection
byAshok Kumar
 
PPT
Lecture13
byChâu Thanh Chương
 
PPTX
Unethical access to website’s databases hacking using sql injection
bySatyajit Mukherjee
 
Sql Injection and XSS
byMike Crabb
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Intro to Core Data
byMake School
 
Sql Injection and Entity Frameworks
byRich Helton
 
Sql Injection V.2
byTjylen Veselyj
 
2nd-Order-SQLi-Josh
byJoshua S. Clark, CISSP
 
Sql Injection - Vulnerability and Security
bySandip Chaudhari
 
SQL Injection Tutorial
byMagno Logan
 
Time-Based Blind SQL Injection Using Heavy Queries
byChema Alonso
 
Time-Based Blind SQL Injection using Heavy Queries
byChema Alonso
 
Sql injection
byPallavi Biswas
 
Using MongoDB with the .Net Framework
byStefano Paluello
 
Test Data Builder Pattern
byAlan Parkinson
 
Android Training (Storing & Shared Preferences)
byKhaled Anaqwa
 
Jsp intro
byhusnara mohammad
 
Greensql2007
byKaustav Sengupta
 
Retrofit Web Forms with MVC & T4
bysoelinn
 
Sql injection
byAshok Kumar
 
Lecture13
byChâu Thanh Chương
 
Unethical access to website’s databases hacking using sql injection
bySatyajit Mukherjee
 

Similar to Rabin Shrestha: Data Validation and Sanitization in WordPress

PDF
Ultimate xss
byARahim Özel
 
PPTX
Security Code Review 101
byPaul Ionescu
 
PDF
Validating and Sanitizing User Data
byzakieh alizadeh
 
PPT
PHPUG Presentation
byDamon Cortesi
 
PPT
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PDF
Secure WordPress Development Practices
byBrandon Dove
 
PDF
Things to keep in mind while creating a word press plugin from scratch
byElsner Technologies Pvt Ltd
 
ODP
What's Our Software Doing With All That User Input
byKim Carter
 
PDF
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
PPT
Security.ppt
bywebhostingguy
 
PPTX
15 owasp top 10 - a3-xss
byappsec
 
PDF
Writing Secure Code for WordPress
byShawn Hooper
 
PDF
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
byMicah Wood
 
PDF
OWASP Top 10 - DrupalCon Amsterdam 2019
byAyesh Karunaratne
 
PDF
WordPress Security 101: Essential Security Practices Simplified
byBlogVault Inc
 
PDF
WordPress Security - WordCamp Phoenix
byMark Jaquith
 
PDF
Writing Secure WordPress Code WordCamp NYC 2014
byBrad Williams
 
PDF
Tulsa techfest2010 security
byJason Ragsdale
 
PDF
Memphis php html form processing with php
byJoe Ferguson
 
PDF
Secure Coding With Wordpress (BarCamp Orlando 2009)
byMark Jaquith
 
Ultimate xss
byARahim Özel
 
Security Code Review 101
byPaul Ionescu
 
Validating and Sanitizing User Data
byzakieh alizadeh
 
PHPUG Presentation
byDamon Cortesi
 
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
Secure WordPress Development Practices
byBrandon Dove
 
Things to keep in mind while creating a word press plugin from scratch
byElsner Technologies Pvt Ltd
 
What's Our Software Doing With All That User Input
byKim Carter
 
Coding Security: Code Mania 101
byNarudom Roongsiriwong, CISSP
 
Security.ppt
bywebhostingguy
 
15 owasp top 10 - a3-xss
byappsec
 
Writing Secure Code for WordPress
byShawn Hooper
 
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
byMicah Wood
 
OWASP Top 10 - DrupalCon Amsterdam 2019
byAyesh Karunaratne
 
WordPress Security 101: Essential Security Practices Simplified
byBlogVault Inc
 
WordPress Security - WordCamp Phoenix
byMark Jaquith
 
Writing Secure WordPress Code WordCamp NYC 2014
byBrad Williams
 
Tulsa techfest2010 security
byJason Ragsdale
 
Memphis php html form processing with php
byJoe Ferguson
 
Secure Coding With Wordpress (BarCamp Orlando 2009)
byMark Jaquith
 

More from wpnepal

PDF
Avinash Kundaliya: Javascript and WordPress
bywpnepal
 
PDF
Roshan Bhattarai: Scaling WordPress for high traffic sites
bywpnepal
 
PPTX
How to earn and maximize your earnings from your Blog - Pawan Agrawal
bywpnepal
 
PDF
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
bywpnepal
 
PPTX
Simple Contact Us Plugin Development
bywpnepal
 
PDF
Vinay Paudel: Optimizing and Speeding up a WordPress site
bywpnepal
 
PDF
Utsav Singh Rathour: How, Why and Where to use WordPress multisite
bywpnepal
 
PDF
Sanjip Shah: Internationalizing and Localizing WordPress Themes
bywpnepal
 
PDF
Jimba Tamang: Responsive and Retina Design
bywpnepal
 
PDF
Yalamber Subba: WordPress Jobs & Freelance Marketplaces
bywpnepal
 
PDF
Bigyan Ghimire: GovtPress
bywpnepal
 
PDF
Pankaj Agrawal: eLearning on WordPress
bywpnepal
 
PPT
WP Ambulance
bywpnepal
 
PPTX
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
bywpnepal
 
PDF
Kris Thapa: WP Ambulance
bywpnepal
 
PDF
Mahadev Subedi: WordPress Security & Defense Mechanism
bywpnepal
 
PDF
Chandra Maharzan: Making a successful career out of WordPress
bywpnepal
 
PDF
Ujwal Thapa: WordPress as a Blogging Platform
bywpnepal
 
Avinash Kundaliya: Javascript and WordPress
bywpnepal
 
Roshan Bhattarai: Scaling WordPress for high traffic sites
bywpnepal
 
How to earn and maximize your earnings from your Blog - Pawan Agrawal
bywpnepal
 
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
bywpnepal
 
Simple Contact Us Plugin Development
bywpnepal
 
Vinay Paudel: Optimizing and Speeding up a WordPress site
bywpnepal
 
Utsav Singh Rathour: How, Why and Where to use WordPress multisite
bywpnepal
 
Sanjip Shah: Internationalizing and Localizing WordPress Themes
bywpnepal
 
Jimba Tamang: Responsive and Retina Design
bywpnepal
 
Yalamber Subba: WordPress Jobs & Freelance Marketplaces
bywpnepal
 
Bigyan Ghimire: GovtPress
bywpnepal
 
Pankaj Agrawal: eLearning on WordPress
bywpnepal
 
WP Ambulance
bywpnepal
 
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
bywpnepal
 
Kris Thapa: WP Ambulance
bywpnepal
 
Mahadev Subedi: WordPress Security & Defense Mechanism
bywpnepal
 
Chandra Maharzan: Making a successful career out of WordPress
bywpnepal
 
Ujwal Thapa: WordPress as a Blogging Platform
bywpnepal
 

Recently uploaded

PPTX
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
PPTX
Java Programming_BJD_Slideshare-Introduction.pptx
byBapusahebDange
 
PPTX
Blood, Blood Composition, Blood Groups, Disorders of Blood.pptx
byAshish Umale
 
PPTX
Redox Titration - Oxidation and Reduction
byKhushbu Shah
 
PPTX
THEORIES OF LEARNING Shilpa Hotakar.pptx
bySHILPA HOTAKAR
 
PPTX
Віртуальна виставка «Гра в життя» – «The Game of Life»
byVinnytsia Regional Universal Scientific Library named after Valentin Otamanovsky
 
PPTX
ANTI-TUSSIVE CHAPTER NO.05 PHARMACOGNOSY
byGanu Gavade
 
PPTX
DISCHARGE FROM HOSPITAL (JHASKETAN )(1).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PDF
30 Ways Teachers Use AI in 2026 – Practical Classroom Workflows with Monsha f...
byMonsha.AI
 
PPTX
HYDROLYSIS OF EASTER (JHASKETAN).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
PPTX
SIZE REDUCTION Prepared By: Ms. Vaishnavi Ghormade
byvaishnavighormade199
 
PPTX
DIGITAL TRANSFORMATION MODULE KEY POINTS
byLisa Harris
 
PDF
eSAT-for-Teachers-2025-2028-ver.2-Nov2025 idp.pdf
byJunmelValientes
 
PPTX
what are the Talent pool in Odoo 19 Recruitment
byCeline George
 
PPTX
OverView of AI in Products in Odoo 19
byCeline George
 
PPTX
Throat painting and throat swab.....pptx
byAneetaSharma15
 
PPTX
GW4 BioMed Interview Support Webinar 2026
byGW4BioMedMRCDTP
 
PPTX
Regenerate invoice in odoo 19 Accounting
byCeline George
 
PPTX
How to add bank Account in Odoo 19
byCeline George
 
PPTX
Birthday Field in Employee Records Odoo 19
byCeline George
 
OCCULTISM IN JEHOVAH'S WITNESSES' ARTWORK
byDaniel Barnea
 
Java Programming_BJD_Slideshare-Introduction.pptx
byBapusahebDange
 
Blood, Blood Composition, Blood Groups, Disorders of Blood.pptx
byAshish Umale
 
Redox Titration - Oxidation and Reduction
byKhushbu Shah
 
THEORIES OF LEARNING Shilpa Hotakar.pptx
bySHILPA HOTAKAR
 
Віртуальна виставка «Гра в життя» – «The Game of Life»
byVinnytsia Regional Universal Scientific Library named after Valentin Otamanovsky
 
ANTI-TUSSIVE CHAPTER NO.05 PHARMACOGNOSY
byGanu Gavade
 
DISCHARGE FROM HOSPITAL (JHASKETAN )(1).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
30 Ways Teachers Use AI in 2026 – Practical Classroom Workflows with Monsha f...
byMonsha.AI
 
HYDROLYSIS OF EASTER (JHASKETAN).pptx
byJK NURSING VIBES ONLY JHASKETAN KUANAR
 
SIZE REDUCTION Prepared By: Ms. Vaishnavi Ghormade
byvaishnavighormade199
 
DIGITAL TRANSFORMATION MODULE KEY POINTS
byLisa Harris
 
eSAT-for-Teachers-2025-2028-ver.2-Nov2025 idp.pdf
byJunmelValientes
 
what are the Talent pool in Odoo 19 Recruitment
byCeline George
 
OverView of AI in Products in Odoo 19
byCeline George
 
Throat painting and throat swab.....pptx
byAneetaSharma15
 
GW4 BioMed Interview Support Webinar 2026
byGW4BioMedMRCDTP
 
Regenerate invoice in odoo 19 Accounting
byCeline George
 
How to add bank Account in Odoo 19
byCeline George
 
Birthday Field in Employee Records Odoo 19
byCeline George
 

Rabin Shrestha: Data Validation and Sanitization in WordPress

  • 2.
    Data Validation AndSanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
  • 3.
    Overview Definitions Why Data Validationand Sanitization? Difference between Data Validation and Sanitization Golden rules Some helper functions in codex
  • 4.
    Definitions Data Validation: Datavalidation is to make sure that we receive what we expect to receive before saving it to database. Data Sanitization: Make the data sane before use i.e. before storing to the database or echoing it to browsers(escaping)
  • 5.
    Why Validate andSanitize Data? Hackers can inject various script (sql injection) or XSS(Cross-site Scripting) <script>alert('hacked')</script> <script>alert(document.cookie)</script>
  • 6.
    Why Validate andSanitize Data? Can break the output of the website •Use of single quote, double quote can break the output Spread malware
  • 7.
    Difference Data Validation: Ifthe data is valid we accept it if not we reject it. Data Sanitization: In contrast to data validation, sanitization don‟t reject the whole data but strips the evil tags and encodes the tags before echoing it to browser.
  • 8.
  • 9.
    Lets see thisexample Source: http://devotepress.com
  • 10.
    Remember Golden Rule Ruleno. 1: Never , Ever, Trust your users Rule no. 2: Validate/sanitize all inputs and escape all outputs Rule no.3: Trust WordPress
  • 11.
    What does trustWordpress mean? Functions like the_title(),the_permalink(), the_title_attribute(), the_content() are already escaped by WordPress and are safe depending upon context. But custom data are not safe e.g get_post_meta()
  • 12.
    Some helper Escaping functions Esc_attr(): Escapes content to be contained inside HTML attributes e.g, title, rel etc. Encodes < > & “ „. Esc_textarea(): Encodes text for use inside <text area> element. Uses htmlspecialchars function of PHP.
  • 13.
    Some helper Escaping functions contd.. This text contain <script type="text/javascript">alert("XSS");</script> here! Esc_url(‘ $url’,(array)$protocols’): Sanitizes url. Rejects url‟s that don‟t have one of the provided whitelisted protocols.(defaulting to http, https, ftp, ftps, mailto, news, irc etc)
  • 14.
    Some helper Escaping functions contd.. Esc_html():This function encodes < > & ” „ (less than, greater than, ampersand, double quote, single quote), letting the browser render it instead of interpreting it. Esc_js(): Escape single quotes, htmlspecialchar “ < > &. Intended to be used in inline js. For example onclick=“do something”.
  • 15.
    Some helper inputvalidating functions Intval( $int ): Ensures the number is integer. Absint( $int ): Ensures the number is non- negative. Sanitize_text_field(): Strips out extra white space,tabs, line breaks and strips tags.
  • 16.
    Some helper inputvalidating functions condt.. Wp_kses_post(): Sanitize content for allowed HTML tags for post content. wp_kses($string, $allowed_html, $allowed_ protocols):Only allowed html tags passed as argument are accepted.
  • 17.
    Some helper inputvalidating functions condt.. Is_email( $email ): Returns true if the email address is valid. Esc_url_raw(): Escapes url that are to be saved to database. Note: Esc_url is intended for output purpose while esc_url_raw is intented for database storage. Also esc_url doesnot encodes html entities.
  • 18.
  • 19.