Safely store code(html/js..) into database

there are two possible injection vectors, server side and client side

  • server side – Just don’t write your own SQL and use the more high level DB access APIs, in your case probably update_option. If you must to access the DB at lower level make sure the API use wpdb::prepare while generating the SQL, which is true for insert but not true for query which requires the use of prepare if you use placeholders in the query.

  • client side – You should never let anyone that is not the admin of the site to admin the plugin. This means it is not suitable to use in a network unless you will restrict the access there to only the super admin. Any other configuration will enable the site’s users to do XSS attacks against other users of the site.

Related Posts:

  1. Who is responsible for data sanitization in WordPress development?
  2. What is the proper way to validate and sanitize JSON response from REST API?
  3. Is sanitize_text_field() is enough to save to DB?
  4. Default WordPress settings API data sanitization
  5. How to display data from custom table in wordpress database?
  6. How does WordPress store data?
  7. Permit Login if table row exists
  8. data (html) migration to posts
  9. What’s the proper way to sanitize checkbox value sent to the database
  10. Using $wpdb | checking entered email against existing emails in db
  11. Where is the HTML-handler part in the wpdb class?
  12. How to resolve ORA-011033: ORACLE initialization or shutdown in progress
  13. Oracle SQL query for Date format
  14. Failed to connect to mysql at 127.0.0.1:3306 with user root access denied for user ‘root’@’localhost'(using password:YES)
  15. Can I have multiple primary keys in a single table?
  16. Using wpdb to connect to a separate database
  17. is_email() VS sanitize_email()
  18. Database connection close
  19. How to create bulk page and content? [closed]
  20. Importing posts from old website to new conflicting post ID’s?
  21. Exporting revisions
  22. WP_Options ID high
  23. Transient RSS feeds in wp_options not removed automatically?
  24. Best way to move live site local
  25. The revisions table in my database is at 70% capacity and growing. What should I do?
  26. WordPress for a very large website
  27. How to use multiple database in wordpress?
  28. Database location in WordPress
  29. WooCommerce with thousands of products – site is very slow – optimize db queries? [closed]
  30. WP_list_table bulk_action get edit and delete
  31. Is removing orphaned wp_postmeta records safe?
  32. Change SQL get_results to search for posts with custom term in custom taxonomy
  33. Add search Value to wp_list_table pagination
  34. stdObject stored in database. How does one convert it to usable format?
  35. I have a table I created, how do I make a form for a user to filter the data?
  36. What ALL can cause “Another update is currently in progress.”? [closed]
  37. Error connecting to DB in /wp-includes/wp-db.php on line 1538 [closed]
  38. Set Display Name to first and last name (phpmyadmin SQL Query)
  39. Trigger Plugin database update after git pull
  40. Does WordPress ever need multiple databases?
  41. Why are no posts showing despite my apparently correct DB restoration?
  42. How to query the WordPress database to get posts of a certain custom post type, taxonomy and field?
  43. Cannot update custom database table row
  44. Best Practice for Validating and Sanitizing Data
  45. SQL Error wp_commentmeta – incorrect table definition
  46. Change WordPress prefix for only one table?
  47. Two websites one database, administrator not working on second website
  48. Select two sums with single get_var statement
  49. How to get the SQL of the changes made to the database from an update or upgrade?
  50. How can i add custom fields into the contact form 7 [closed]
  51. Why does importing copies of the database dump and the document root make WordPress data inconsistent?
  52. Make an Items attribute searchable (taxonomy using existing attribute)
  53. Store partial database to an archive database time to time
  54. Move out of sync posts from one database to another
  55. Migration: Copying database content to a different server
  56. Remove empty rows from the database
  57. Check if post id exist in table than only update instead of inserting new row
  58. Detail explanation of wordpress database fields and metatag list [closed]
  59. CreateOrUpdate in WordPress
  60. $wpdb->get_results($wpdb->prepare(… You have an error in your SQL syntax;
  61. How to convert srcset links from https to http?
  62. How to get a list of WordPress default database tables?
  63. Can local WordPress installs share /wp-content/ folder and database?
  64. How do I sanitize the str_replace function in javascript variables
  65. How to transfer from localHost to live but use the already existing database on the server?
  66. Backing up WordPress database and files
  67. Image link issues after importing a database backup to my local web server
  68. multiple wordpress installs w/shared user database but separate content databases
  69. A change in URL slug in database returns 404, how can I do auto-redirect?
  70. Updating seperate database when post attachment is changed
  71. add featured image dialog box disappear
  72. Displaying table data on a page
  73. muliple wordpress installs (network) on different databases
  74. WordPress Database – wp_usermeta and the correct number of session_tokens rows
  75. Continuous SQL query errors from outside source
  76. How to get a list of articles related to a particular category from my other WordPress website?
  77. Whats the best practise on how to store json data from a custom settings page?
  78. Recovery – Restore Database after moving folder location locally
  79. /wp-admin not accessible after migrating to local host (no plugin issue)
  80. Job and Employee Performance Tracking with Product Safety
  81. set_transient fails if the value has more than 60.000 characters
  82. How do I cleanup my database with data that is no longer being used?
  83. Set SQL_BIG_SELECTS and MAX_JOIN_SIZE on a WP_Query
  84. How to optimize wp_option table?
  85. How do I update a WordPress wp_postmeta meta_value that contains many options
  86. How can I get $wpdb to show MySQL warnings?
  87. About wp database hooks (error establishing connection)
  88. Database for JQuery Autocomplete field
  89. Create Tables in WordPress
  90. Catchable fatal error in formatting.php
  91. Wrong url for the images while using same database for two WordPress installations
  92. WordPress Failed to Login (DB Error)
  93. Sending WordPress database information to cross domain the safe way?
  94. Share WordPress Database
  95. DB access blocked when initializing WP externally
  96. ERROR: “Table Prefix” must not be empty
  97. How do you build a database-centric site in WP?
  98. WordPress: Interact with Database Query Data and Login
  99. Attach posts based on category and position
  100. Getting an error when trying to migrate to DV server from Grid with Media Temple [closed]