Do Cookies Need to be Sanatized Before Being Saved?

This maybe just a personal distinction but I consider:

  • data validation to mean is the data ‘correct’? Is it what we expect?
  • data sanitisation to mean is the data *safe to use *

Though there can be some blurring, typically data validation will only occur when a user-input is taken, or some data is obtained and we wish to make sure its ‘correct’ before we use it. This might be if we expect an integer, is it an integer, if its we expect a date, is it of the correct form? The options API allows you to define a validation callback for your settings.

Data sanitisation is about making the data safe. And this should be done anytime you use the data. Best practise is to sanitise late, i.e. only sanitise just before you use it. Typically you don’t have to worry about this for saving to the databse if you’re using the api functions such as update_option(), update_post_meta() etc (but you do when handling the database directly).

But what is safe depends on context. Is the data intended to be used as an url, in a text input, in text-area, or an SQL query?

So it depends you how you intend to use the variable $full_site_cookie on how you should sanitise it.

In the above you use $get_cookie_check = wp_kses($_GET['view_full_site'],null);. wp_kses() is expensive and it seems you expect the $_GET['view_full_site'] to be ‘true’. Why not just be strict with it:

$get_cookie_check = ( !empty( $_GET['view_full_site'] ) )
                      && 'true' == strtolower( $_GET['view_full_site'] ) );
//$get_cooke_check is now a boolean.

Related Posts:

  1. How safe / sanitized is wp_insert_posts()?
  2. When to use esc_html and when to use sanitize_text_field?
  3. What’s the difference between esc_* functions?
  4. is_email() VS sanitize_email()
  5. Which KSES should be used and when?
  6. What is the purpose of having a token in cookies?
  7. How to escape custom css?
  8. Is default functions like update_post_meta safe to use user inputs?
  9. How does the “authentication unique keys and salts” feature work?
  10. vs WordPress Security
  11. How Could I sanitize the receive data from this code
  12. Auth cookie value security risk?
  13. Is wp_kses the right approach in sanitizing this string?
  14. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  15. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  16. Does meta-data need to be sanitized?
  17. Session Cookie security questions
  18. Do we need to escape data that we receive from theme options?
  19. How WordPress sanitizes post content on save? Or it doesn’t?
  20. how to sanitizing $_POST with the correct way?
  21. What’s the best approach for generating a new API key?
  22. Simplest two-way encryption using PHP
  23. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  24. how fix “this certificate cannot be verified up to a trusted certification authority”
  25. How can bcrypt have built-in salts?
  26. Getting a List of Currently Available Roles on a WordPress Site?
  27. What’s the easiest way to stop WP from ever logging me out
  28. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  29. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  30. Why are passwords exportable as plain text in WordPress?
  31. How to set up fail2ban with WordFence?
  32. Is there a way to force ssl on certain pages
  33. How is password strength calculated?
  34. Regular security checks – what steps should be included?
  35. What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
  36. How to sanitize select box values in post meta?
  37. WordPress “Site Health Status” trust it or myself for its security advice?
  38. Is WP vulnerable when updating plugins or themes?
  39. how can i embed wordpress backend in iframe
  40. Garbage in beginning of wp-config.php – was this WP installation compromised?
  41. Security error WP 4.0 + WP phpBB Bridge [closed]
  42. What is the relationship between cURL, WordPress and cacert.pem?
  43. Is it necessary to use esc_url with template tags such as get_permalink?
  44. How to prevent bot or someone to modify any file automatically?
  45. HTTP Security Headers in wp-config
  46. How to remove javascript malware in wordpress site [closed]
  47. Staging Site: Made Public – Security Questions
  48. Best Way to Enable Two Step Authentication
  49. Securing my WordPress Files and Directories
  50. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  51. Securing a multi-user permission structure
  52. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  53. Securing wp-config leads to sensitive information leak on wp-settings
  54. Suspicious Files
  55. What’s the point of forbidding access to wp-config.php?
  56. How to sanitize my cookie name
  57. wp-json and what data does it give away?
  58. Is is necessary to use security plugin for wordpress? [closed]
  59. neccessary?
  60. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  61. wp-config.php being written by attacker
  62. How to delete Passwrd Protected posts cookies when a user logged out from the site
  63. Simple Online Payment for Event Registration [closed]
  64. my wordpress website is suspended [closed]
  65. Malware script in database post table only? [closed]
  66. iTheme Security always lockout my account [closed]
  67. WordPress Front end Form – Enable to Submit PHP Codes
  68. Is it safe use wp_editor in public contact form
  69. Is WordPress MultiSite secure & how much can it scale? [closed]
  70. How safe is current_user_can()?
  71. Is it safe to give wordpress directories ownership to www-data?
  72. Why does WordPress change a file’s permissions?
  73. Side effects of disallowing *.php requests in production environment?
  74. Outgoing new connection to linked Websites – why?
  75. Input sanitation
  76. Sanitize user input fields before wp_insert_post
  77. My Site keeps crashing due to the wp-confg file being deleted
  78. Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
  79. Replace domain in database
  80. Does this code indicate an exploit?
  81. What highest security brake with wordpress and static files?
  82. Spam in WordPress root folder
  83. Has anyone developed a anti-spam plugin to simply allow users to BLOCK whatever they wish to, but one that will also go easy on IP addresses?
  84. how to protect wordpress content from crawler
  85. Should I worry about SQL injection when using REST API?
  86. How can I backup my site if it gets hacked?
  87. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  88. Why are the latest visits to my website originating from my own website?
  89. How do I hide WordPress users from security scanning?
  90. Background Updates Not Happening
  91. wp-config.php file and code injection
  92. FORCE_SSL_ADMIN affecting subdomains
  93. What is the best security $_POST method?
  94. How to resolve these findings from security audit
  95. Should WordPress Add Options to Enhance Security or Leave it to plugin developers? [closed]
  96. Directory to store secure file
  97. How can I give someone server access to only duplicate and modify a site?
  98. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  99. How can I implement ansible with per-host passwords, securely?
  100. Can you alter the default wordpress strong password requirements?

Leave a Comment