MWUG notes from Wednesday 21 January 2015

Some notes from last night’s MWUG meeting. Something I don’t get along to often enough, as Mike has mentioned on occasion. :)
Continue reading MWUG notes from Wednesday 21 January 2015

Filtering HTML to exclude all but a small number of HTML elements and attributes

How much do we trust user input? Not. At. All. That’s how much we trust user input. You just don’t know where they’ve been!

WordPress has such a plethora of functions for escaping and filtering input and output, that I’m always discovering new possibilities. One I found recently is wp_kses, which allows you to strip out all HTML leaving only a limited set of allowed elements and attributes.

Continue reading Filtering HTML to exclude all but a small number of HTML elements and attributes

Escaping lists of strings for SQL in WordPress

Today I found myself wanting to use a query similar to SELECT DISTINCT post_id FROM $wpdb->posts WHERE meta_key IN ( 'string_x', 'string_y', 'string_z' ), but where I needed to construct the values for the list of strings from an array of untrusted values (because we never trust inputs, we always look suspiciously on them if they’re going near the DB). Looking through the core code, it seems like there’s currently one place it does this and, while less elegant than the WPDB class prepare method it’s worth me remembering for the future, so…

Continue reading Escaping lists of strings for SQL in WordPress

Some security suggestions for WordPress (and other) sites

Someone on the Manchester WordPress User Group mailing list recently asked about checking their WordPress site for malware, and as I’ve spent some time decontaminating a WordPress site which was fairly riddled with malware recently, I thought I’d write up some quick pointers which might help you (or me in the future). I’ve broken them down into detection and prevention, and noted which are paid and which are free.

Continue reading Some security suggestions for WordPress (and other) sites