sanitizing, validating and escaping in wordpress themes and plugins
DESCRIPTION
How secure is your WordPress theme or plugin? Are you confident that you have protected yourself, your clients or your users against the most common hacks? Validating, sanitizing and escaping are techniques that are foundational to the security of your website, application or software product. Learn how WordPress makes it easy for you to secure your code and start writing better code today!TRANSCRIPT
Sanitizing, Validating and Escapingin WordPress Themes and Plugins
by Micah Wood @wpscholar
wpscholar.com/wpyall2014
SanitizationCleaning user input
Sanitization Example
Sanitize Text Fields
Sanitize URL Slugs
Sanitize URLs
Sanitize Emails
Sanitize HTML Classes
Sanitize HTML
Other Sanitization Functions• sanitize_file_name() • sanitize_key() • sanitize_mime_type() • sanitize_sql_orderby() • sanitize_title_for_query() • sanitize_title_with_dashes() • sanitize_user()
ValidationChecking user input
Validation Example
Data Type
Validate HTML
Validate Meta
Validate Capability
Validate Option
Validate Intention
EscapingSecuring output
Escape HTML Attributes
Escape HTML Attributes
Escape HTML
Escape HTML
Escape URLs
Escape Textareas
Escape Inline JavaScript
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Escape SQL Queries
Tips• Search for echo $ and echo get_ • Use VIP Scanner if you are creating a theme
Trust WordPress
Questions?