wordpress plugin & theme security - wordcamp melbourne - february 2011

Plugin & Theme

Securityhttp://johnford.is/

@iamjohnford

SQL Injection

BAD

$wpdb->query("UPDATE $wpdb->posts SET post_title = '$new_title' WHERE ID = $id");

BAD

$wpdb->query("SELECT * FROM $wpdb->usersWHERE user_login = '$username'AND user_pass = '$password'");

BAD

$username = "' OR 1 -- ";$wpdb->query("SELECT * FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'");

BAD

$wpdb->query("SELECT * FROM $wpdb->usersWHERE user_login = '' OR 1 -- ' AND user_pass = '$password'");

GOOD

$wpdb->update()

GOOD

$wpdb->update( $wpdb->posts, array( 'post_title' => $new_title ), array( 'ID' => $id ));

GOOD

$wpdb->insert( $table, $data );

GOOD

$wpdb->prepare()

GOOD

$wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id);

http://codex.wordpress.org/Function_Reference/

wpdb_Class

XSSCross-site Scripting

BAD

<h1> <?php echo $title; ?></h1>

BAD

$title = '<script>jsCode();</script>';<h1> <?php echo $title; ?></h1>

GOOD

<h1> <?php echo esc_html( $title ); ?></h1>

esc_attr_e()

BAD

<a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a>

BAD

<?php $title = '" onmouseover="jsCode();'; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a>

GOOD

<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a>

GOOD

esc_textarea()

BAD

<a href="<?php echo $url; ?>">Link Text</a>

BAD

<?php $url = 'javascript:jsCode();'; ?><a href="<?php echo $url; ?>"> Link Text</a>

GOOD

<a href="<?php echo esc_url( $url ); ?>"> Link Text</a>

BAD

<form action="<?php echo $_SERVER['REQUEST_URI']; ?>">

GOOD

<form action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>">

BAD

<script> var foo = '<?php echo $unsafe; ?>';</script>

GOOD

<script> var foo = '<?php echo esc_js( $unsafe ); ?>';</script>

GOOD

wp_filter_kses( $data )

http://codex.wordpress.org/Data_Validation

CSRFCross-site Request Forgery

Noncesaction-, object-, & user-specific

time-limited secret keys

GOOD

wp_nonce_field( 'plugin-action_object' )

GOOD

check_admin_referer( 'plugin-action_object' )

http://codex.wordpress.org/WordPress_Nonces

eval() = evil

Thank you!http://johnford.is/

@iamjohnford