I am not sure if this helpful or not. As s_ha_dum said, you should post how you are processing the submitted data and sending to db. But for starters, you might look at escaping the outputted data in the form: <input style=”width:100%” type=”text” name=”dataHow to sanitize user input?” id=”title” value=”<?php $title = get_option(‘data_test’); echo esc_attr($title[‘title’]); … Read more
WordPress always escapes quotes encountered in the super globals variables. It is done in https://developer.wordpress.org/reference/functions/wp_magic_quotes/ You will most likely want to strip it with stripslashes before saving it into the DB. something like update_option( ‘tld_wcdpue_settings_email_content’, wp_kses_post( stripslashes($_POST[‘tld_wcdpue_settings_wpeditor’] ) ));
No, you don’t need to escape hardcoded values. As I understand it, if the URL doesn’t have an input via admin, it should be okay. Not necessarily. There’s many more potential sources of potentially malicious (or just accidentally broken) output that need to be accounted for, such as: Translations. Query strings ($_GET) Cookies. WordPress filters. … Read more
In fact to be super pedantic, I think the correct code is actually: echo ‘<option value=”‘ . esc_attr( $folder ) . ‘”>’ . esc_html( $folder ) . ‘</option>’; Since the first variable is an attribute, and the second is encased in html, although I wold bet that the code you have would pass review, and … Read more
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.) Codex article on … Read more
You escape on output, what I suspect here is a confusion between escaping sanitizing and validating Sanitise when data arrives. This strips out stuff that shouldn’t be there, e.g. upper case letters in a lower case string, words and letters in a phone number, trailing spaces etc. Sanitising cleans data common sanitising functions include trim, … Read more
Now I have familiarized myself with the above principles via the documentation and I think I have understood them now I don’t know which documentation you read, but you should check the Plugin Security section in the plugin developer’s handbook. And there are three main issues I noticed in your code: Before attempting to use … Read more
I can’t find a function shipped with WordPress that does this, so I created my own: function esc_sql_name( $name ) { return str_replace( “`”, ““”, $name ); } You can use it like this: $escaped_name = esc_sql_name( $column_name ); $sql = $wpdb->prepare( “SELECT * FROM example WHERE `$escaped_name` = %s”, $foobar ); Reference: MySQL documentation … Read more
Adding scripts directly to the content is not a good idea. You can disable escaping of content, but that is even a worse idea. Here we have a couple of solutions. Using a plugin The PHP Code Widget allows you to add almost anything as a widget. If you have some text widgets, you can … Read more
Please try using (blank space) instead of \s and . instead of \w For further details on supported operators and characters please check this link: https://dev.mysql.com/doc/refman/5.7/en/regexp.html