SlideShare a Scribd company logo

Rabin Shrestha: Data Validation and Sanitization in WordPress

W
wpnepal

This document discusses data validation and sanitization. It defines data validation as ensuring received data matches expectations before saving to a database, while data sanitization strips harmful tags from data before displaying. Validating and sanitizing is important for security against attacks like SQL injection. Functions like esc_attr() and esc_url() can help sanitize outputs, while intval() and sanitize_text_field() validate inputs. Golden rules are to never trust users and validate/sanitize all inputs and escape all outputs.

Education
1 of 19
Download to read offline
Data Validation And Sanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
Overview Definitions Why Data Validation and Sanitization? Difference between Data Validation and Sanitization Golden rules Some helper functions in codex
Definitions Data Validation: Data validation is to make sure that we receive what we expect to receive before saving it to database. Data Sanitization: Make the data sane before use i.e. before storing to the database or echoing it to browsers(escaping)
Why Validate and Sanitize Data? Hackers can inject various script (sql injection) or XSS(Cross-site Scripting) <script>alert('hacked')</script> <script>alert(document.cookie)</script>
Why Validate and Sanitize Data? Can break the output of the website •Use of single quote, double quote can break the output Spread malware
Difference Data Validation: If the data is valid we accept it if not we reject it. Data Sanitization: In contrast to data validation, sanitization don‟t reject the whole data but strips the evil tags and encodes the tags before echoing it to browser.
Still confused??
Lets see this example Source: http://devotepress.com
Remember Golden Rule Rule no. 1: Never , Ever, Trust your users Rule no. 2: Validate/sanitize all inputs and escape all outputs Rule no.3: Trust WordPress
What does trust Wordpress mean? Functions like the_title(),the_permalink(), the_title_attribute(), the_content() are already escaped by WordPress and are safe depending upon context. But custom data are not safe e.g get_post_meta()
Some helper Escaping functions Esc_attr(): Escapes content to be contained inside HTML attributes e.g, title, rel etc. Encodes < > & “ „. Esc_textarea(): Encodes text for use inside <text area> element. Uses htmlspecialchars function of PHP.
Some helper Escaping functions contd.. This text contain <script type="text/javascript">alert("XSS");</script> here! Esc_url(‘ $url’,(array)$protocols’): Sanitizes url. Rejects url‟s that don‟t have one of the provided whitelisted protocols.(defaulting to http, https, ftp, ftps, mailto, news, irc etc)
Some helper Escaping functions contd.. Esc_html():This function encodes < > & ” „ (less than, greater than, ampersand, double quote, single quote), letting the browser render it instead of interpreting it. Esc_js(): Escape single quotes, htmlspecialchar “ < > &. Intended to be used in inline js. For example onclick=“do something”.
Some helper input validating functions Intval( $int ): Ensures the number is integer. Absint( $int ): Ensures the number is non- negative. Sanitize_text_field(): Strips out extra white space,tabs, line breaks and strips tags.
Some helper input validating functions condt.. Wp_kses_post(): Sanitize content for allowed HTML tags for post content. wp_kses($string, $allowed_html, $allowed_ protocols):Only allowed html tags passed as argument are accepted.
Some helper input validating functions condt.. Is_email( $email ): Returns true if the email address is valid. Esc_url_raw(): Escapes url that are to be saved to database. Note: Esc_url is intended for output purpose while esc_url_raw is intented for database storage. Also esc_url doesnot encodes html entities.
Sources http://devotepress.com/coding/data-validation- sanitization-wordpress-1/ http://devotepress.com/coding/data-validation- sanitization-wordpress-2/ http://codex.wordpress.org/Data_Validation http://wordpress.tv/2011/09/07/mark-jaquith- jon-cave-brad-williams-plugin-security- showdown/
Thank you! Any Questions?

Recommended

New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)
Markus Eisele
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
Quang Ngoc
 
Presentation
PresentationPresentation
Presentation
Santosh Kumar
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
01 session tracking
01 session tracking01 session tracking
01 session trackingdhrubo kayal
 
Dependency rejection and TDD without Mocks
Dependency rejection and TDD without MocksDependency rejection and TDD without Mocks
Dependency rejection and TDD without Mocks
Antya Dev
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
70562 (1)
70562 (1)70562 (1)
70562 (1)Pragya Rastogi
 

Recommended

New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)New Features of JSR 317 (JPA 2.0)
New Features of JSR 317 (JPA 2.0)
Markus Eisele
 
10 Rules for Safer Code
10 Rules for Safer Code10 Rules for Safer Code
10 Rules for Safer Code
Quang Ngoc
 
Presentation
PresentationPresentation
Presentation
Santosh Kumar
 
Types of sql injection attacks
Types of sql injection attacksTypes of sql injection attacks
Types of sql injection attacks
Respa Peter
 
01 session tracking
01 session tracking01 session tracking
01 session trackingdhrubo kayal
 
Dependency rejection and TDD without Mocks
Dependency rejection and TDD without MocksDependency rejection and TDD without Mocks
Dependency rejection and TDD without Mocks
Antya Dev
 
Time-Based Blind SQL Injection
Time-Based Blind SQL InjectionTime-Based Blind SQL Injection
Time-Based Blind SQL Injection
matt_presson
 
70562 (1)
70562 (1)70562 (1)
70562 (1)Pragya Rastogi
 
Jsp intro
Jsp introJsp intro
Jsp intro
husnara mohammad
 
Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4
soelinn
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
Sql injection
Sql injectionSql injection
Sql injection
Ashok Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Test Data Builder Pattern
Test Data Builder PatternTest Data Builder Pattern
Test Data Builder Pattern
Alan Parkinson
 
Greensql2007
Greensql2007Greensql2007
Greensql2007Kaustav Sengupta
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh2nd-Order-SQLi-Josh
2nd-Order-SQLi-JoshJoshua S. Clark, CISSP
 
Lecture13
Lecture13Lecture13
Lecture13Châu Thanh Chương
 
Using MongoDB with the .Net Framework
Using MongoDB with the .Net FrameworkUsing MongoDB with the .Net Framework
Using MongoDB with the .Net Framework
Stefano Paluello
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
Intro to Core Data
Intro to Core DataIntro to Core Data
Intro to Core Data
Make School
 
Sql injection
Sql injectionSql injection
Sql injectionPallavi Biswas
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)
Khaled Anaqwa
 
XSS
XSSXSS
XSS
Hrishikesh Mishra
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 

More Related Content

What's hot

Jsp intro
Jsp introJsp intro
Jsp intro
husnara mohammad
 
Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4
soelinn
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
Chema Alonso
 
Sql injection
Sql injectionSql injection
Sql injection
Ashok Kumar
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
Sandip Chaudhari
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
Satyajit Mukherjee
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
Chema Alonso
 
Test Data Builder Pattern
Test Data Builder PatternTest Data Builder Pattern
Test Data Builder Pattern
Alan Parkinson
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
Tjylen Veselyj
 
Using MongoDB with the .Net Framework
Using MongoDB with the .Net FrameworkUsing MongoDB with the .Net Framework
Using MongoDB with the .Net Framework
Stefano Paluello
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity FrameworksRich Helton
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
Magno Logan
 
Intro to Core Data
Intro to Core DataIntro to Core Data
Intro to Core Data
Make School
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
Pichaya Morimoto
 
Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)
Khaled Anaqwa
 

What's hot (20)

Jsp intro
Jsp introJsp intro
Jsp intro
 
Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4Retrofit Web Forms with MVC & T4
Retrofit Web Forms with MVC & T4
 
Time-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy QueriesTime-Based Blind SQL Injection using Heavy Queries
Time-Based Blind SQL Injection using Heavy Queries
 
Sql injection
Sql injectionSql injection
Sql injection
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Unethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injectionUnethical access to website’s databases hacking using sql injection
Unethical access to website’s databases hacking using sql injection
 
Time-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy QueriesTime-Based Blind SQL Injection Using Heavy Queries
Time-Based Blind SQL Injection Using Heavy Queries
 
Test Data Builder Pattern
Test Data Builder PatternTest Data Builder Pattern
Test Data Builder Pattern
 
Greensql2007
Greensql2007Greensql2007
Greensql2007
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
 
Sql Injection V.2
Sql Injection V.2Sql Injection V.2
Sql Injection V.2
 
2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh2nd-Order-SQLi-Josh
2nd-Order-SQLi-Josh
 
Lecture13
Lecture13Lecture13
Lecture13
 
Using MongoDB with the .Net Framework
Using MongoDB with the .Net FrameworkUsing MongoDB with the .Net Framework
Using MongoDB with the .Net Framework
 
Sql Injection and Entity Frameworks
Sql Injection and Entity FrameworksSql Injection and Entity Frameworks
Sql Injection and Entity Frameworks
 
SQL Injection Tutorial
SQL Injection TutorialSQL Injection Tutorial
SQL Injection Tutorial
 
Intro to Core Data
Intro to Core DataIntro to Core Data
Intro to Core Data
 
Sql injection
Sql injectionSql injection
Sql injection
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya MorimotoSQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
 
Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)Android Training (Storing & Shared Preferences)
Android Training (Storing & Shared Preferences)
 

Similar to Rabin Shrestha: Data Validation and Sanitization in WordPress

XSS
XSSXSS
XSS
Hrishikesh Mishra
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
snoopythesecuritydog
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
Eoin Keary
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
Carol McDonald
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
robin_bene
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Web Security
Web SecurityWeb Security
Web Security
Supankar Banik
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
Brandon Dove
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
Lucas Hendrich
 
PPT on javascript ajax and css and some points related to server
PPT on javascript ajax and css and some points related to serverPPT on javascript ajax and css and some points related to server
PPT on javascript ajax and css and some points related to server
shivanichourasia01
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
amiable_indian
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
Sean Jackson
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2Talal Alsubaie
 
Secure Coding
Secure Coding Secure Coding
Secure Coding
Shubham Sharma
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
MaulikLakhani
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
Tony Amoyal
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net ProgrammingAdam Getchell
 

Similar to Rabin Shrestha: Data Validation and Sanitization in WordPress (20)

XSS
XSSXSS
XSS
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Web Security
Web SecurityWeb Security
Web Security
 
Secure WordPress Development Practices
Secure WordPress Development PracticesSecure WordPress Development Practices
Secure WordPress Development Practices
 
Security Awareness
Security AwarenessSecurity Awareness
Security Awareness
 
PPT on javascript ajax and css and some points related to server
PPT on javascript ajax and css and some points related to serverPPT on javascript ajax and css and some points related to server
PPT on javascript ajax and css and some points related to server
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Advanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection ProtectionAdvanced Topics On Sql Injection Protection
Advanced Topics On Sql Injection Protection
 
Owasp top 10_openwest_2019
Owasp top 10_openwest_2019Owasp top 10_openwest_2019
Owasp top 10_openwest_2019
 
Selected Topics ASP.NET2
Selected Topics ASP.NET2Selected Topics ASP.NET2
Selected Topics ASP.NET2
 
Secure Coding
Secure Coding Secure Coding
Secure Coding
 
Persistant Cookies and LDAP Injection
Persistant Cookies and LDAP InjectionPersistant Cookies and LDAP Injection
Persistant Cookies and LDAP Injection
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
Secure Dot Net Programming
Secure Dot Net ProgrammingSecure Dot Net Programming
Secure Dot Net Programming
 

More from wpnepal

Mahadev Subedi: WordPress Security & Defense Mechanism
Mahadev Subedi: WordPress Security & Defense MechanismMahadev Subedi: WordPress Security & Defense Mechanism
Mahadev Subedi: WordPress Security & Defense Mechanismwpnepal
 
Pankaj Agrawal: eLearning on WordPress
Pankaj Agrawal: eLearning on WordPressPankaj Agrawal: eLearning on WordPress
Pankaj Agrawal: eLearning on WordPresswpnepal
 
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...wpnepal
 
Ujwal Thapa: WordPress as a Blogging Platform
Ujwal Thapa: WordPress as a Blogging PlatformUjwal Thapa: WordPress as a Blogging Platform
Ujwal Thapa: WordPress as a Blogging Platform
wpnepal
 
Yalamber Subba: WordPress Jobs & Freelance Marketplaces
Yalamber Subba: WordPress Jobs & Freelance MarketplacesYalamber Subba: WordPress Jobs & Freelance Marketplaces
Yalamber Subba: WordPress Jobs & Freelance Marketplaceswpnepal
 
Vinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress siteVinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress sitewpnepal
 
Sanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress ThemesSanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress Themes
wpnepal
 
Utsav Singh Rathour: How, Why and Where to use WordPress multisite
Utsav Singh Rathour: How, Why and Where to use WordPress multisiteUtsav Singh Rathour: How, Why and Where to use WordPress multisite
Utsav Singh Rathour: How, Why and Where to use WordPress multisitewpnepal
 
Roshan Bhattarai: Scaling WordPress for high traffic sites
Roshan Bhattarai: Scaling WordPress for high traffic sitesRoshan Bhattarai: Scaling WordPress for high traffic sites
Roshan Bhattarai: Scaling WordPress for high traffic siteswpnepal
 
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minsChandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minswpnepal
 
Jimba Tamang: Responsive and Retina Design
Jimba Tamang: Responsive and Retina DesignJimba Tamang: Responsive and Retina Design
Jimba Tamang: Responsive and Retina Designwpnepal
 
Bigyan Ghimire: GovtPress
Bigyan Ghimire: GovtPressBigyan Ghimire: GovtPress
Bigyan Ghimire: GovtPresswpnepal
 
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPressAvinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPresswpnepal
 
Kris Thapa: WP Ambulance
Kris Thapa: WP AmbulanceKris Thapa: WP Ambulance
Kris Thapa: WP Ambulance
wpnepal
 
Chandra Maharzan: Making a successful career out of WordPress
Chandra Maharzan: Making a successful career out of WordPressChandra Maharzan: Making a successful career out of WordPress
Chandra Maharzan: Making a successful career out of WordPresswpnepal
 
Simple Contact Us Plugin Development
Simple Contact Us Plugin DevelopmentSimple Contact Us Plugin Development
Simple Contact Us Plugin Development
wpnepal
 
WP Ambulance
WP AmbulanceWP Ambulance
WP Ambulance
wpnepal
 
How to earn and maximize your earnings from your Blog - Pawan Agrawal
How to earn and maximize your earnings from your Blog - Pawan AgrawalHow to earn and maximize your earnings from your Blog - Pawan Agrawal
How to earn and maximize your earnings from your Blog - Pawan Agrawal
wpnepal
 

More from wpnepal (18)

Mahadev Subedi: WordPress Security & Defense Mechanism
Mahadev Subedi: WordPress Security & Defense MechanismMahadev Subedi: WordPress Security & Defense Mechanism
Mahadev Subedi: WordPress Security & Defense Mechanism
 
Pankaj Agrawal: eLearning on WordPress
Pankaj Agrawal: eLearning on WordPressPankaj Agrawal: eLearning on WordPress
Pankaj Agrawal: eLearning on WordPress
 
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
Jimba Tamang: 5 reasons why “Parallax Websites” are awesome and how to create...
 
Ujwal Thapa: WordPress as a Blogging Platform
Ujwal Thapa: WordPress as a Blogging PlatformUjwal Thapa: WordPress as a Blogging Platform
Ujwal Thapa: WordPress as a Blogging Platform
 
Yalamber Subba: WordPress Jobs & Freelance Marketplaces
Yalamber Subba: WordPress Jobs & Freelance MarketplacesYalamber Subba: WordPress Jobs & Freelance Marketplaces
Yalamber Subba: WordPress Jobs & Freelance Marketplaces
 
Vinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress siteVinay Paudel: Optimizing and Speeding up a WordPress site
Vinay Paudel: Optimizing and Speeding up a WordPress site
 
Sanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress ThemesSanjip Shah: Internationalizing and Localizing WordPress Themes
Sanjip Shah: Internationalizing and Localizing WordPress Themes
 
Utsav Singh Rathour: How, Why and Where to use WordPress multisite
Utsav Singh Rathour: How, Why and Where to use WordPress multisiteUtsav Singh Rathour: How, Why and Where to use WordPress multisite
Utsav Singh Rathour: How, Why and Where to use WordPress multisite
 
Roshan Bhattarai: Scaling WordPress for high traffic sites
Roshan Bhattarai: Scaling WordPress for high traffic sitesRoshan Bhattarai: Scaling WordPress for high traffic sites
Roshan Bhattarai: Scaling WordPress for high traffic sites
 
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 minsChandra Prakash Thapa: Make a WordPress Multisite in 20 mins
Chandra Prakash Thapa: Make a WordPress Multisite in 20 mins
 
Jimba Tamang: Responsive and Retina Design
Jimba Tamang: Responsive and Retina DesignJimba Tamang: Responsive and Retina Design
Jimba Tamang: Responsive and Retina Design
 
Bigyan Ghimire: GovtPress
Bigyan Ghimire: GovtPressBigyan Ghimire: GovtPress
Bigyan Ghimire: GovtPress
 
Avinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPressAvinash Kundaliya: Javascript and WordPress
Avinash Kundaliya: Javascript and WordPress
 
Kris Thapa: WP Ambulance
Kris Thapa: WP AmbulanceKris Thapa: WP Ambulance
Kris Thapa: WP Ambulance
 
Chandra Maharzan: Making a successful career out of WordPress
Chandra Maharzan: Making a successful career out of WordPressChandra Maharzan: Making a successful career out of WordPress
Chandra Maharzan: Making a successful career out of WordPress
 
Simple Contact Us Plugin Development
Simple Contact Us Plugin DevelopmentSimple Contact Us Plugin Development
Simple Contact Us Plugin Development
 
WP Ambulance
WP AmbulanceWP Ambulance
WP Ambulance
 
How to earn and maximize your earnings from your Blog - Pawan Agrawal
How to earn and maximize your earnings from your Blog - Pawan AgrawalHow to earn and maximize your earnings from your Blog - Pawan Agrawal
How to earn and maximize your earnings from your Blog - Pawan Agrawal
 

Recently uploaded

BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
Nguyen Thanh Tu Collection
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
MysoreMuleSoftMeetup
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
Balvir Singh
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
vaibhavrinwa19
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
Jisc
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
EduSkills OECD
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
Levi Shapiro
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
TechSoup
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Thiyagu K
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
Peter Windle
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
DhatriParmar
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
TechSoup
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
Mohammed Sikander
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Atul Kumar Singh
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
Special education needs
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
Tamralipta Mahavidyalaya
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
thanhdowork
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
Thiyagu K
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
Celine George
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
DeeptiGupta154
 

Recently uploaded (20)

BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
BÀI TẬP BỔ TRỢ TIẾNG ANH GLOBAL SUCCESS LỚP 3 - CẢ NĂM (CÓ FILE NGHE VÀ ĐÁP Á...
 
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
Mule 4.6 & Java 17 Upgrade | MuleSoft Mysore Meetup #46
 
Operation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela TaraOperation Blue Star - Saka Neela Tara
Operation Blue Star - Saka Neela Tara
 
Acetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docxAcetabularia Information For Class 9 .docx
Acetabularia Information For Class 9 .docx
 
The approach at University of Liverpool.pptx
The approach at University of Liverpool.pptxThe approach at University of Liverpool.pptx
The approach at University of Liverpool.pptx
 
Francesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptxFrancesca Gottschalk - How can education support child empowerment.pptx
Francesca Gottschalk - How can education support child empowerment.pptx
 
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
June 3, 2024 Anti-Semitism Letter Sent to MIT President Kornbluth and MIT Cor...
 
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdfWelcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
Welcome to TechSoup New Member Orientation and Q&A (May 2024).pdf
 
Unit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdfUnit 2- Research Aptitude (UGC NET Paper I).pdf
Unit 2- Research Aptitude (UGC NET Paper I).pdf
 
Embracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic ImperativeEmbracing GenAI - A Strategic Imperative
Embracing GenAI - A Strategic Imperative
 
The Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptxThe Accursed House by Émile Gaboriau.pptx
The Accursed House by Émile Gaboriau.pptx
 
Introduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp NetworkIntroduction to AI for Nonprofits with Tapp Network
Introduction to AI for Nonprofits with Tapp Network
 
Multithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race conditionMultithreading_in_C++ - std::thread, race condition
Multithreading_in_C++ - std::thread, race condition
 
Guidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th SemesterGuidance_and_Counselling.pdf B.Ed. 4th Semester
Guidance_and_Counselling.pdf B.Ed. 4th Semester
 
special B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdfspecial B.ed 2nd year old paper_20240531.pdf
special B.ed 2nd year old paper_20240531.pdf
 
Home assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdfHome assignment II on Spectroscopy 2024 Answers.pdf
Home assignment II on Spectroscopy 2024 Answers.pdf
 
A Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptxA Survey of Techniques for Maximizing LLM Performance.pptx
A Survey of Techniques for Maximizing LLM Performance.pptx
 
Unit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdfUnit 8 - Information and Communication Technology (Paper I).pdf
Unit 8 - Information and Communication Technology (Paper I).pdf
 
How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17How to Make a Field invisible in Odoo 17
How to Make a Field invisible in Odoo 17
 
Overview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with MechanismOverview on Edible Vaccine: Pros & Cons with Mechanism
Overview on Edible Vaccine: Pros & Cons with Mechanism
 

Rabin Shrestha: Data Validation and Sanitization in WordPress

  • 1.
  • 2. Data Validation And Sanitization Presented By: Rabin Shrestha sun.ravi90@gmail.com
  • 3. Overview Definitions Why Data Validation and Sanitization? Difference between Data Validation and Sanitization Golden rules Some helper functions in codex
  • 4. Definitions Data Validation: Data validation is to make sure that we receive what we expect to receive before saving it to database. Data Sanitization: Make the data sane before use i.e. before storing to the database or echoing it to browsers(escaping)
  • 5. Why Validate and Sanitize Data? Hackers can inject various script (sql injection) or XSS(Cross-site Scripting) <script>alert('hacked')</script> <script>alert(document.cookie)</script>
  • 6. Why Validate and Sanitize Data? Can break the output of the website •Use of single quote, double quote can break the output Spread malware
  • 7. Difference Data Validation: If the data is valid we accept it if not we reject it. Data Sanitization: In contrast to data validation, sanitization don‟t reject the whole data but strips the evil tags and encodes the tags before echoing it to browser.
  • 9. Lets see this example Source: http://devotepress.com
  • 10. Remember Golden Rule Rule no. 1: Never , Ever, Trust your users Rule no. 2: Validate/sanitize all inputs and escape all outputs Rule no.3: Trust WordPress
  • 11. What does trust Wordpress mean? Functions like the_title(),the_permalink(), the_title_attribute(), the_content() are already escaped by WordPress and are safe depending upon context. But custom data are not safe e.g get_post_meta()
  • 12. Some helper Escaping functions Esc_attr(): Escapes content to be contained inside HTML attributes e.g, title, rel etc. Encodes < > & “ „. Esc_textarea(): Encodes text for use inside <text area> element. Uses htmlspecialchars function of PHP.
  • 13. Some helper Escaping functions contd.. This text contain <script type="text/javascript">alert("XSS");</script> here! Esc_url(‘ $url’,(array)$protocols’): Sanitizes url. Rejects url‟s that don‟t have one of the provided whitelisted protocols.(defaulting to http, https, ftp, ftps, mailto, news, irc etc)
  • 14. Some helper Escaping functions contd.. Esc_html():This function encodes < > & ” „ (less than, greater than, ampersand, double quote, single quote), letting the browser render it instead of interpreting it. Esc_js(): Escape single quotes, htmlspecialchar “ < > &. Intended to be used in inline js. For example onclick=“do something”.
  • 15. Some helper input validating functions Intval( $int ): Ensures the number is integer. Absint( $int ): Ensures the number is non- negative. Sanitize_text_field(): Strips out extra white space,tabs, line breaks and strips tags.
  • 16. Some helper input validating functions condt.. Wp_kses_post(): Sanitize content for allowed HTML tags for post content. wp_kses($string, $allowed_html, $allowed_ protocols):Only allowed html tags passed as argument are accepted.
  • 17. Some helper input validating functions condt.. Is_email( $email ): Returns true if the email address is valid. Esc_url_raw(): Escapes url that are to be saved to database. Note: Esc_url is intended for output purpose while esc_url_raw is intented for database storage. Also esc_url doesnot encodes html entities.