5 escaping tips to fix cross site scripting and sql injection attacks in wordpress.
Most of the developers create wordpress website but didn’t take care about security, while coding custom plugins for our websites, we will not follow the coding standards, which leads to cross site scripting and sql injections attacks, today we will discuss about these attacks and fix these issues using wordpress default escaping functions.
If you are facing difficulty in wordpress website maintenance Dreamhost provides Automatic WordPress Install & Core Updates go for Managed WordPress Hosting
There are different types of output sanitization techniques let’s see
1. Text Nodes
2. Attribute Nodes
1.Esc_html (): which is used to escape(less than, greater than, ampersand, double quote, single quote) except it applies the esc_html filter to the output.
A simple example to use this function in wordpress plugin, please check below code once.
Here in the above code we are escaping the output using esc_html(), we should use these function only when output is displaying in html blocks.
2.Esc_textarea(): which is used to escape textarea inside element , how to use these function in wordpress plugin below.
3.Sanitize_text_field(): we use to create a registration forms in wordpress to get details of users through that from , for this kind of user inputs to avoid attacks we need to sanitize user inputs.
Which Checks for invalid UTF-8, and converts (characters to entity, strip all tags, remove line breaks, tabs and extra whitespace, strip octets.
1.Esc_attr(): we use this function in form display , while displaying the output need to escape the form attribute , let’s check small example below.
In the above code we are escaping value of $EM_Ticket->ticket_id , Encodes < > & ” ‘ (less than, greater than, ampersand, double quote, single quote). Identical to esc_html, except it applies the attribute_escape filter to the output.
1.Esc_url(): To sanitize urls we always use esc_url(), when we use this function Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated in 3.0.
Which encodes characters as HTML entities: please use this function when generating an (X)HTML or XML document.Encodes ampersands (&) and single quotes (‘) as numeric entity references (&, '). Check below example
1.Esc_sql() : we use to write sql queries to fetch the results , weather it may be a single string or string array, Need to pass through esc_sql() function to escape the values.
If we escape the values , we can avoid Sql injections.
Thanks for reading this article.