If I were a hacker with access to the database, wouldn’t I just add my code to a post’s content? If you’ve got access to the database, chances are that you’ve got enough access that escaping isn’t going to stop you. Escaping is not going to help you if you’ve been hacked. It’s not supposed … Read more
(I’m a sucker for alternative login schemes) Some nitpicking regarding DB escaping: You use mysql_real_escape_string() directly. The preferred method is using $wpdb->prepare() or esc_sql(). UPDATE queries are best handled by $wpdb->update()
It would appear that out of the box, there isn’t a difference function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); /** * Filters a string cleaned and escaped for output in HTML. * * Text passed to esc_html() is stripped of invalid or special characters * before … Read more
localhost refers to the machine it’s running on. For example on my own site tomjn.com localhost is 127.0.0.1 as it always is. This doesn’t mean the hacker doesn’t know where to connect, it means the hacker replaces localhost with tomjn.com. Of course if I have a proxy sitting in front this won’t work, but keep … Read more
If you did want to lock things down…. a normal wordpress site will usually only require the database user to have SELECT, INSERT, UPDATE and DELETE. If you want to use the automatic update feature it will also require CREATE and ALTER. Some plugins may require other permissions but most won’t.
Nonces are unique to each logged-in user. You can’t scrape a logged-in user’s nonces unless you have their cookies. But if you have a user’s cookies, you’ve already stolen their identity and can do whatever you want. Nonces are meant to protect against users being tricked into doing something they didn’t mean to do, by … Read more
I’m hereby answering my own question, because i found a solution, but I’m really interested in your opinions towards it. Or maybe you have a much better solution, if so, I really would like to here about it. Research result My research results were: 1. get the files outside of the document root, www folder; … Read more
There is no absolutely safe way to store such information permanently. You have two options to increase security a little bit: Use the options table and encrypt the data Use a strong encryption method, and bind it to either: your password when you want to use the API call only when you are logged in, … Read more
We have to look a bit deeper here to get an answer to your question. So, bloginfo is a simple wrapper around get_bloginfo. <?php function bloginfo( $show=” ) { echo get_bloginfo( $show, ‘display’ ); } Notice the second argument display. Let’s see what that does. <?php function get_bloginfo( $show = ”, $filter=”raw” ) { // … Read more
esc_html() is more or less lossless — it just turns HTML markup into encoded visible text, so that it’s not rendered as markup by browser. Semantically it’s escape, so it’s meant to be used to make output to page safe. sanitize_text_field() however actually removes all HTML markup, as well as extra whitespace. It leaves nothing … Read more