MWUG notes from Wednesday 21 January 2015

Some notes from last night’s MWUG meeting. Something I don’t get along to often enough, as Mike has mentioned on occasion. :)

Filtering HTML to exclude all but a small number of HTML elements and attributes

How much do we trust user input? Not. At. All. That’s how much we trust user input. You just don’t know where they’ve been! WordPress has such a plethora of functions for escaping and filtering input and output, that I’m always discovering new possibilities. One I found recently is wp_kses, which allows you to strip …

Escaping lists of strings for SQL in WordPress

Today I found myself wanting to use a query similar to SELECT DISTINCT post_id FROM $wpdb->posts WHERE meta_key IN ( ‘string_x’, ‘string_y’, ‘string_z’ ), but where I needed to construct the values for the list of strings from an array of untrusted values (because we never trust inputs, we always look suspiciously on them if …

Some security suggestions for WordPress (and other) sites

Someone on the Manchester WordPress User Group mailing list recently asked about checking their WordPress site for malware, and as I’ve spent some time decontaminating a WordPress site which was fairly riddled with malware recently, I thought I’d write up some quick pointers which might help you (or me in the future). I’ve broken them down …