Sanitizing, Validating and Escaping
in WordPress Themes and Plugins
by Micah Wood
@wpscholar
wpscholar.com/wpyall2014
Sanitization
Cleaning user input
Sanitization Example
Sanitize Text Fields
Sanitize URL Slugs
Sanitize URLs
Sanitize Emails
Sanitize HTML Classes
Sanitize HTML
Other Sanitization Functions
• sanitize_file_name()
• sanitize_key()
• sanitize_mime_type()
• sanitize_sql_orderby()
• sani...
Validation
Checking user input
Validation Example
Data Type
Validate HTML
Validate Meta
Validate Capability
Validate Option
Validate Intention
Escaping
Securing output
Escape HTML Attributes
Escape HTML Attributes
Escape HTML
Escape HTML
Escape URLs
Escape Textareas
Escape Inline JavaScript
Escape SQL Queries
Permanent link to this comic: http://xkcd.com/327/
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Tips
• Search for echo $ and echo get_
• Use VIP Scanner if you are creating a theme
Trust WordPress
Questions?
Upcoming SlideShare
Loading in …5
×

Sanitizing, Validating and Escaping in WordPress Themes and Plugins

2,965 views

Published on

How secure is your WordPress theme or plugin? Are you confident that you have protected yourself, your clients or your users against the most common hacks? Validating, sanitizing and escaping are techniques that are foundational to the security of your website, application or software product. Learn how WordPress makes it easy for you to secure your code and start writing better code today!

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,965
On SlideShare
0
From Embeds
0
Number of Embeds
440
Actions
Shares
0
Downloads
26
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Sanitizing, Validating and Escaping in WordPress Themes and Plugins

  1. 1. Sanitizing, Validating and Escaping in WordPress Themes and Plugins by Micah Wood @wpscholar wpscholar.com/wpyall2014
  2. 2. Sanitization Cleaning user input
  3. 3. Sanitization Example
  4. 4. Sanitize Text Fields
  5. 5. Sanitize URL Slugs
  6. 6. Sanitize URLs
  7. 7. Sanitize Emails
  8. 8. Sanitize HTML Classes
  9. 9. Sanitize HTML
  10. 10. Other Sanitization Functions • sanitize_file_name() • sanitize_key() • sanitize_mime_type() • sanitize_sql_orderby() • sanitize_title_for_query() • sanitize_title_with_dashes() • sanitize_user()
  11. 11. Validation Checking user input
  12. 12. Validation Example
  13. 13. Data Type
  14. 14. Validate HTML
  15. 15. Validate Meta
  16. 16. Validate Capability
  17. 17. Validate Option
  18. 18. Validate Intention
  19. 19. Escaping Securing output
  20. 20. Escape HTML Attributes
  21. 21. Escape HTML Attributes
  22. 22. Escape HTML
  23. 23. Escape HTML
  24. 24. Escape URLs
  25. 25. Escape Textareas
  26. 26. Escape Inline JavaScript
  27. 27. Escape SQL Queries Permanent link to this comic: http://xkcd.com/327/
  28. 28. Escape SQL Queries
  29. 29. Escape SQL Queries
  30. 30. Escape SQL Queries
  31. 31. Escape SQL Queries
  32. 32. Escape SQL Queries
  33. 33. Tips • Search for echo $ and echo get_ • Use VIP Scanner if you are creating a theme
  34. 34. Trust WordPress
  35. 35. Questions?

×