5 escaping tips to fix cross site scripting and sql injection attacks in wordpress.

Most of the developers create wordpress website but didn’t take care about security, while coding custom plugins for our websites, we will not follow the coding standards, which leads to cross site scripting and sql injections attacks, today we will discuss about these attacks and fix these issues using wordpress default escaping functions.
If you are facing difficulty in wordpress website maintenance Dreamhost provides Automatic WordPress Install & Core Updates go for Managed WordPress Hosting
There are different types of output sanitization techniques let’s see
1. Text Nodes
2. Attribute Nodes
3. JavaScript
4. Url’s
5. Database

Text Nodes:
1.Esc_html (): which is used to escape(less than, greater than, ampersand, double quote, single quote) except it applies the esc_html filter to the output.
A simple example to use this function in wordpress plugin, please check below code once.

Here in the above code we are escaping the output using esc_html(), we should use these function only when output is displaying in html blocks.

2.Esc_textarea(): which is used to escape textarea inside element , how to use these function in wordpress plugin below.

3.Sanitize_text_field(): we use to create a registration forms in wordpress to get details of users through that from , for this kind of user inputs to avoid attacks we need to sanitize user inputs.

Which Checks for invalid UTF-8, and converts (characters to entity, strip all tags, remove line breaks, tabs and extra whitespace, strip octets.

Attribute Node
1.Esc_attr(): we use this function in form display , while displaying the output need to escape the form attribute , let’s check small example below.

In the above code we are escaping value of $EM_Ticket->ticket_id , Encodes < > & ” ‘ (less than, greater than, ampersand, double quote, single quote). Identical to esc_html, except it applies the attribute_escape filter to the output.

JavaScript
1.Esc_js(): here it is used to escape output in JavaScript html blocks , let’s check below sample code .
The first php segment is using esc_attr as it is an html attribute of input, while the next php segments is using esc_js within inline JavaScript.

URLs
1.Esc_url(): To sanitize urls we always use esc_url(), when we use this function Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated in 3.0.
Which encodes characters as HTML entities: please use this function when generating an (X)HTML or XML document.Encodes ampersands (&) and single quotes (‘) as numeric entity references (&#038, &#039). Check below example

Database

1.Esc_sql() : we use to write sql queries to fetch the results , weather it may be a single string or string array, Need to pass through esc_sql() function to escape the values.

If we escape the values , we can avoid Sql injections.

Thanks for reading this article.

Free Domain Rank Checker

Saritha Reddy

I am Saritha Reddy, a Remote codeigniter,Angularjs Developer. I have 4+ years of strong experience in designing, implementing, Programming and delivering advanced XAMPP ( Apache, MySQL and PHP) Web applications development. I am an Indian national and based Andhra Pradesh,Hyderabad. In addition to providing custom programming and design, I also have extensive experience with Open Source technologies to keep costs down and get websites running with as little fuss and wait as possible.

More Posts

Follow Me:
TwitterFacebookGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *