Does using a custom query_var create a security hole?

Regardless of whether you registered new_var as a query_var, all GPC data (GET, POST, COOKIE) should be considered tainted. Basically, this data is user input. This means that you will need to clean and validate the data anyway.

Common cleaning methods include casting the variable to a certain type (like integer or string), using a regex to validate strings, etc. Also, if you are accessing $_GET data directly, don’t forget to do an isset() or empty() check first to prevent “undefined index” notices.

Edit: In the first place, my answer applies to accessing GPC data via PHP’s superglobals. That being said, if you use get_query_var() to retrieve your variable, as far as I see, you still need to clean the variables you registered yourself. WP will clean its standard query vars, of course. See the parse_query() function in wp-includes/query.php.

Related Posts:

  1. Is it true $wpdb->get_results is faster than WP_Query in most cases?
  2. Does WordPress sanitize arguments to WP_Query?
  3. Load More Posts Button – AJAX
  4. My website is getting too many dierect home arechives and this is increasing my bounce rate
  5. sanitize_post() is not sanitizing Post Object
  6. whether a nonce is required for get type and get_query_var?
  7. How ‘secure’ are loops?
  8. Using a custom WP_Query with get_template_part loop
  9. WP_Query orderby post__in remains ineffective in the Loop [closed]
  10. How to make WP_Query ‘post__in’ accept an array?
  11. WP_QUERY Get posts by category and similar name (Like)
  12. Using get_posts vs. WP_Query
  13. Is it possible to orderby multiple meta_keys when using meta_value_num?
  14. Is it possible to wrap Geo Location search around WP_Query?
  15. How to Access Global $multipage or Global $numpages outside the loop?
  16. What is an efficient way to query based on post_meta?
  17. Merging a complex query with post_rewind and splitting posts into two columns
  18. Pagination wont work with search results template [duplicate]
  19. Pagination Not working on Home Page with 2 Query
  20. WP_Query in a shortcode
  21. ‘posts_where’ filter not applying ‘WP_Query’ in `wp_ajax`
  22. WP_Query class not found
  23. Search – Ajax – Alter Query Parameters with Pagination
  24. Access to Instance Variables from WP_Query
  25. WP Query with multiple categories – passing an array works?
  26. Splitting the main query in multiple loops with query_posts and/or pre_get_posts?
  27. how to speed up a complex wp_query?
  28. How do you Query posts with nothing in common?
  29. Exhausted memory limit with very simple WP_Query
  30. When to add_filter() to Custom Query
  31. if/else on custom query gives 200 OK when condition not met?
  32. Creating arguments from loop for WP_Query meta_query
  33. Select from wp_post and multiple meta_value from wp_postmeta
  34. Multiple Loops Inside a Function
  35. Sort users by “birthday” using WP_User_Query
  36. How to use MySQL’s MATCH AGAINST in WP_Query?
  37. Ajax Pagination on Ajax filter
  38. Wp_query returning only one post while query through ajax
  39. only delete post within query / for each statement (front end)
  40. How to optimize multiple WP_Query() calls on one page?
  41. Make a page return false to is_single() and true for is_post_type_archive() before wp_enqueue_scripts
  42. category query for pages not working
  43. date_query on draft posts only
  44. How to get list of posts from permalinks?
  45. wp_query not working with post_type
  46. WP_Query posts with comments only
  47. how to use pre_gets_posts to exclude one queried ID from homepage loop
  48. Default permalink structure causing Notice: Undefined property: WP_Query::$post
  49. How to check the array values, what WP_Query has brought to me?
  50. How to Order a list of taxonomies? orderby?
  51. queried_object using pre_get_posts gets notices and warning
  52. post_parent don’t work and return 0 page
  53. date_query in pre_get_posts out of memory
  54. WP_QUERY wrong ammount of posts
  55. How to add sort order to incremented and paginated category loop
  56. Get specific ACF key and value from all posts – no access to DB
  57. Query only displays one page_id
  58. How to exclude a category name from showing?
  59. How to set parameters for search loop?
  60. Get posts with no tags?
  61. get_posts query matches too many results
  62. Register Taxonomy – What is `query_var`?
  63. Get Post ID as a separate RSS feed item
  64. how to retrieve WP_Query without ordering by date [duplicate]
  65. Which is from this queries is more faster
  66. Start Query from 2nd Post without offset
  67. Related posts by current posts child category
  68. Trying to change category of wp_query
  69. Any quicker alternative for WP_Query “NOT IN”
  70. duplicated posts when using pagination
  71. Is it possible to give a classname to specific comments in the WordPress admin?
  72. How can I have sticky posts while ALSO showing posts from a specific category using one WP_Query?
  73. meta_query order by date present -> future then show null
  74. How to upload 3 attachments to current post?
  75. In a WordPress multisite configuration, how do I instruct WP_Query() to return posts from a sub-site?
  76. How to query for exact string in custom field?
  77. Multi line of $wpdb->query just run 1 time and end the loop right after
  78. WP_Query for posts that have postmeta assigned to a taxonomy
  79. Paginated Author.php not using Author.php template
  80. Help displaying related categories
  81. A very strange problem with search query
  82. In Product Category archives how to show Posts having same/similar prod_cat slug structure?
  83. Custom Theme Building & Permalinks
  84. Custom loop – Isolating post meta output depending on current query taxonomy terms
  85. wp_query – show pages that have parent defined
  86. previous_posts_link not working in WordPress pagination
  87. Eliminate typical pages on search page, turn it into ajax search with “infinite” sized single page
  88. Orderby Meta Value and Query from Meta Query
  89. WP Query to order posts by multiple meta fields
  90. Sort posts in dashboard using custom field; also include posts where field isn’t set
  91. Display First posts without the default featured image
  92. paginate_links() with Custom Taxonomy
  93. Parsing External Table Arguments
  94. Query posts by meta value and sort by another meta key
  95. Output ACF field dynamicaly within a taxonomy loop [closed]
  96. Why does WP_Query not search for two ‘meta_query’ keys separated with OR?
  97. How do I split a large query with a semi-expensive function included into multiple smaller queries
  98. Custom WP_query in Jnews theme returns thousands of posts
  99. Display post format post in the sidebar
  100. Is there another way to retrieve a post_id from post_meta other than a SQL query?

Leave a Comment