Does WordPress sanitize arguments to WP_Query?

It’s actually a good question. Of course user input cannot be trusted, but also sanitizing the same value twice “just in case” isn’t the best solution for a problem.

The only real answer to this question can be given by looking at the code and following what goes on.

And after reading it for a few hours, here is what I can say about it:

WP Query sanitizes the values but it doesn’t do it all in one place. Values are being sanitized before they are actually used. It’s a very organic and on the go approach. Also, not all of the values are sanitized, but in those cases a prepared statement is used for the SQL query.

Let’s get into detail

So, what happens when we do:

$query = new WP_Query($args);

The WP_Query class constructor checks if the $args is an empty array or not. And if it’s not, it will run its query() method passing the $args array (which is at this point called $query array).

$this->query($query);

The query() method calls the init() method which unsets possible previous values and sets new defaults.

Then it runs wp_parse_args() on the $args array. This function does not sanitize anything, it serves like a bridge between default data and input data.

The next call is for the get_posts() method, which is in charge of retrieving the posts based on the given query variables.

The first thing that is called inside the get_posts() method is the parse_query() method, which starts by calling the fill_query_vars() method (this one makes sure that a list of default keys are set. The ones that are not, get set with an empty string or empty array depending on the case).

Then, still inside the parse_query() method, the first santization takes place.

p is checked against is_scalar() and cleaned with intval()

Also absint() is used on the following values:

page_id
year
monthnum
day
w
paged
hour
minute
second
attachment_id

Also, a preg_replace('|[^0-9]|'...) is run on m, cat, author to only allow comma separated list of positive or negative integers on these.

For other values at this point, only the trim() function is used. This is the case for:

pagename
name
title

After this, the method starts checking what type of query we are running. Is it a search? An attachment? A page? A single post? …

If a pagename is set then we call (without sanitizing the value) get_page_by_path($qv['pagename']). But checking that function source we can see that the value is sanitized with esc_sql() before it’s used for a database request.

After that, we can see that when the keys post_type or post_status are used, they are both sanitized with sanitize_key() (Only lowercase alphanumeric characters, dashes, and underscores are allowed).

For the taxonomy related parameters, the parse_tax_query() method is called.

category__and, category__in, category__not_in, tag_id, tag__in, tag__not_in, tag__and are sanitized with absint()

tag_slug__in and tag_slug__and are sanitized with sanitize_title_for_query()

At this point the parse_query() method is over, but we still are inside the get_posts() method.

posts_per_page is sanitized.

title is being used unsanitized but with a prepared statement. You may find this question interesting: Are prepared statements enough to prevent SQL injection?

Then we have post__in and post__not_in that are being sanitized with absint().

And if you keep reading the code and pay attention, you will see that all the keys are actually being sanitized before they get to touch a SQL statement or a prepared statement is used instead.

So, to answer your original question:

Does WordPress sanitize arguments to WP_Query?

It does sanitize most of them but not all. For example, pagename, name and title are only “cleaned” with the trim() function (does not return SQL safe values!). But for the values that are not sanitized, a prepared statement is used to perform the database request.

Should you trust this?

Well, in this specific case I would prefer to go for the possibly redundant just presanitize everything approach before you throw it into the query.

Me too, as an engineering student, I would love a solid yes or no answer. But note that the WordPress codebase has evolved in a natural way so it’s just like nature: messy. It does not mean it’s bad. But messy means that there could be an unseen edge-case where somebody could potentially sneak in with a bomb. And you can prevent that by just doubling your guards!

Related Posts:

  1. Sanitation needed for WP_Query or get_posts calls?
  2. Escaping WP_Query tax_query when term has special character(s)
  3. Is it true $wpdb->get_results is faster than WP_Query in most cases?
  4. Does using a custom query_var create a security hole?
  5. Sanitizing search data for use with WP_Query
  6. Load More Posts Button – AJAX
  7. My website is getting too many dierect home arechives and this is increasing my bounce rate
  8. sanitize_post() is not sanitizing Post Object
  9. whether a nonce is required for get type and get_query_var?
  10. Escaping WP_Query tax_query when term has special character(s)
  11. Escaping WP_Query tax_query when term has special character(s)
  12. How ‘secure’ are loops?
  13. WP_Query with “post_title LIKE ‘something%'”?
  14. How to extend WP_Query to include custom table in query?
  15. Best way to detect if you are in a SINGLE POST page
  16. compare meta_query in get_posts arguments
  17. How to do a wp_query using “BETWEEN” with two meta_values?
  18. Better way to get tag stats?
  19. Display recent posts from the same category as current post in sidebar
  20. WP_Query pulling an extra post per page
  21. WP_Query with LIKE in meta gives strange query
  22. WP_Query not working as expected for attachments and custom meta_query
  23. Use Transient API to cache queries for all posts in all categories?
  24. How to Get All Posts but the Private ones?
  25. querying on custom meta fields and sorting them by custom meta
  26. WP Query by Gutenberg block and get its attribute
  27. How do I search WordPress by different fields without a plugin?
  28. Custom URl parameter
  29. Foreach-generated custom tax queries, each with an ajax “Load more” button
  30. Compile meta values from custom loop into array and then calculate sum total
  31. order by multiple meta keys in pre_get_posts
  32. Order By Multiple Meta Fields
  33. WP_Query Performance Issues with meta_query
  34. Advanced WP Query hogs the SQL server
  35. How to use order RAND() on WordPress?
  36. WP_QUERY loop, offset in the arguments and the paginate_links – can these work together?
  37. wp_query for displaying attachments with a tag
  38. How to combine meta_query and post__in in WP_Query
  39. Is it faster to query records using $wpdb instead of Wp_Query?
  40. Display posts if specific country
  41. Meta box dropdown of custom posts
  42. Query: offset post list, unless it’s a specific category
  43. Get posts for which a custom field is not present, with get_posts
  44. Output an array of terms for a ‘tax_query’ => array()
  45. querying data via $wpdb and get_row
  46. Combining categories (Query posts with multiple taxonomy terms)
  47. Filtering out child category posts from parent category archive not working
  48. wp_update_post not working
  49. WP_Query with offset and ‘orderby’ => ‘rand’, offset not working
  50. WP_Query Limit Data_Query last 90 days
  51. Sort WordPress Posts Meta value by Week not Day
  52. WP_Query arguments order
  53. Does meta-data need to be sanitized?
  54. Best choice for multiple loop in page?
  55. new WP_Query messes up pagination
  56. How to create custom query by keyword in post title?
  57. Get Child Category only
  58. Order is breaking wp_query
  59. How to display all posts not in a post_format
  60. How to filter query loop block with a search string from the query parameters
  61. WP_Query – How to get all posts of specific days of week by custom field date?
  62. Use title of post as argument for query
  63. How can I comment comma-separated array values?
  64. WP_Query returns no posts for category
  65. Different Loop for tag pages?
  66. Orderby two meta fields not working
  67. Post__not_in only removing first 2 pages
  68. Query posts by searching for a string in a meta field
  69. Added Date Filter To Popular Posts Query
  70. WP_Query: attachment image in “full” size?
  71. Adding pagination to sub-wp_query within a singular post page
  72. How can I build a query that returns all attachments of a page and it’s children pages?
  73. Query ACF relationship field – Comparator IN – Value array
  74. Use get_cat_ID to retreive multiple category IDs
  75. Make a products only viewable to a specific user ID in meta_query pre_get_posts
  76. get_post_format is not returning standard
  77. Duplice post with standard WP loop – fixed by using query_posts() instead
  78. WP_Query paginate with one term per page?
  79. Exclude parent categories from recent posts list
  80. custom excerpt is not being shown
  81. Filtering WP_Query based on wp_postmeta keys values
  82. using custom meta user data to run queries in WordPress
  83. meta_query only check if both value are set
  84. post_type not working when tag__in is present?
  85. posts_per_page increment additional post
  86. WordPress wp_query add custom query as field
  87. 3 wp_query on one page with pagination for last query
  88. Optimize WP_Query
  89. Add a custom variable to query page object
  90. Read more redirection problem
  91. Help in query for list links
  92. Multiple loops on index page with sticky post and pagination
  93. Search (Custom Form, Custom Search Result)
  94. Randomly display posts on a site hosted by WPEngine? [closed]
  95. tax_query not working properly with get_posts
  96. Get access to all terms associated to each post that the wp_query loop displays
  97. WordPress WP_Query Search (‘s’) With Multiple Search Terms
  98. I want to place a post before all others from an ACF boleen field
  99. How to put posts with some taxonomy on top of others in `pre_get_posts`
  100. wp_query, calculate with two dates when ‘key’ is text format

Leave a Comment