Most of the developers create wordpress website but didn’t take care about security, while coding custom plugins for our websites, we will not follow the coding standards, which leads to cross site scripting and sql injections attacks, today we will discuss about these attacks and fix these issues using wordpress default escaping functions.
If you are facing difficulty in wordpress website maintenance Dreamhost provides Automatic WordPress Install & Core Updates go for Managed WordPress Hosting
There are different types of output sanitization techniques let’s see
1. Text Nodes
2. Attribute Nodes
3. JavaScript
4. Url’s
5. Database

Text Nodes:
1.Esc_html (): which is used to escape(less than, greater than, ampersand, double quote, single quote) except it applies the esc_html filter to the output.
A simple example to use this function in wordpress plugin, please check below code once.

<?php if(empty($shown_default) && $default_value > 0 ): ?><option selected="selected"><?php echo esc_html($default_value);?></option><?php endif; ?>

Here in the above code we are escaping the output using esc_html(), we should use these function only when output is displaying in html blocks.

2.Esc_textarea(): which is used to escape textarea inside element , how to use these function in wordpress plugin below.

 esc_textarea( $text ); 

3.Sanitize_text_field(): we use to create a registration forms in wordpress to get details of users through that from , for this kind of user inputs to avoid attacks we need to sanitize user inputs.

 Sanitize_text_field( $text ); 

Which Checks for invalid UTF-8, and converts (characters to entity, strip all tags, remove line breaks, tabs and extra whitespace, strip octets.

Attribute Node
1.Esc_attr(): we use this function in form display , while displaying the output need to escape the form attribute , let’s check small example below.

<input type="hidden" name="ticket_id" value='<?php echo esc_attr($EM_Ticket->ticket_id); ?>' />

In the above code we are escaping value of $EM_Ticket->ticket_id , Encodes < > & ” ‘ (less than, greater than, ampersand, double quote, single quote). Identical to esc_html, except it applies the attribute_escape filter to the output.

1.Esc_js(): here it is used to escape output in JavaScript html blocks , let’s check below sample code .
The first php segment is using esc_attr as it is an html attribute of input, while the next php segments is using esc_js within inline JavaScript.

<input type="text" value="<?php echo esc_attr( $instance['input_text'] ); ?>" id="subbox" onfocus="if ( this.value == '<?php echo esc_js( $instance['input_text'] ); ?>') { this.value = ''; }" onblur="if ( this.value == '' ) { this.value = '<?php echo esc_js( $instance['input_text'] ); ?>'; }" name="email" />

1.Esc_url(): To sanitize urls we always use esc_url(), when we use this function Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated in 3.0.
Which encodes characters as HTML entities: please use this function when generating an (X)HTML or XML document.Encodes ampersands (&) and single quotes (‘) as numeric entity references (&#038, &#039). Check below example

<td><a href="<?php echo esc_url(EM_ADMIN_URL); ?>><?php echo esc_html($events[$EM->name) ?></a></td>


1.Esc_sql() : we use to write sql queries to fetch the results , weather it may be a single string or string array, Need to pass through esc_sql() function to escape the values.

$username= esc_sql($username);
$status= esc_sql($status);
$wpdb->get_var( "SELECT * FROM table WHERE  foo = '$username' and status = '$status'" );

If we escape the values , we can avoid Sql injections.

Thanks for reading this article.

Free Domain Rank Checker