Some notes from last night’s MWUG meeting. Something I don’t get along to often enough, as Mike has mentioned on occasion. :)
Tag Archives: security
Filtering HTML to exclude all but a small number of HTML elements and attributes
How much do we trust user input? Not. At. All. That’s how much we trust user input. You just don’t know where they’ve been! WordPress has such a plethora of functions for escaping and filtering input and output, that I’m always discovering new possibilities. One I found recently is wp_kses, which allows you to strip …
Continue reading “Filtering HTML to exclude all but a small number of HTML elements and attributes”
Escaping lists of strings for SQL in WordPress
Today I found myself wanting to use a query similar to SELECT DISTINCT post_id FROM $wpdb->posts WHERE meta_key IN ( ‘string_x’, ‘string_y’, ‘string_z’ ), but where I needed to construct the values for the list of strings from an array of untrusted values (because we never trust inputs, we always look suspiciously on them if …
Continue reading “Escaping lists of strings for SQL in WordPress”
Some security suggestions for WordPress (and other) sites
Someone on the Manchester WordPress User Group mailing list recently asked about checking their WordPress site for malware, and as I’ve spent some time decontaminating a WordPress site which was fairly riddled with malware recently, I thought I’d write up some quick pointers which might help you (or me in the future). I’ve broken them down …
Continue reading “Some security suggestions for WordPress (and other) sites”