How to escape and sanitize data in WordPress

Data escape and disinfection are two key steps in WordPress security development. 1. Data disinfection (Sanitize) is used for secure storage and is processed before saving user input, such as using sanitize_text_field(), sanitize_email() and other functions to clean up data; 2. Data escape (Escape) is used for safe display, and is processed when output to the front end, such as esc_html(), esc_url() and other functions to prevent script execution; 3. Use appropriate hooks and function libraries, such as wp_kses_post() to filter rich text content, add_query_arg() to safely operate URL parameters; 4. Pay attention to security restrictions in different scenarios, background output needs to be strictly escaped, database queries should use $wpdb->prepare() to prevent injection, and do not directly output $_GET or $_POST data.

In WordPress development, data escape and disinfection are important steps to ensure website security. Many people are prone to confuse these two concepts. In fact, their purpose is different: escape is to display data safely , while disinfection is to store data safely . Only by figuring this out can the corresponding function be used correctly.

1. Data disinfection: Process user input before saving

When you obtain data from forms, URL parameters, or other user sources, the data must be disinfected to ensure that its format is in line with expectations and prevent malicious content from entering the database.

Common disinfection functions are:

• sanitize_text_field() ——Clean text fields and remove unsafe characters
• sanitize_email() —— Verify and clean the email address
• sanitize_url() ——Clean URL address
• intval() or absint() - Get integer or absolute integer value
• sanitize_key() ——Clean the database key name (such as option name)

For example, if you have a text input box that submits the username:

 $username = sanitize_text_field($_POST['username']);
update_user_meta($user_id, 'custom_username', $username);

This avoids attacks such as XSS or SQL injection. Remember, all user inputs must be disinfected, even if you think this field "will not have any problems".

2. Data Escape: Protect the page security when output

When you want to display data to the front-end page, you must perform appropriate escapes based on the output location to prevent script execution or damage the HTML structure.

WordPress provides some commonly used escape functions:

• esc_html() ——Output pure HTML content to prevent HTML tags from being executed
• esc_attr() — for HTML attribute values
• esc_url() - Used when displaying links
• esc_js() —— for JavaScript strings

For example, you want to display a custom title in a <h2></h2> tag:

 $title = get_post_meta($post_id, 'custom_title', true);
echo &#39;<h2 id="esc-html-title">&#39; . esc_html($title) . &#39;</h2>&#39;;

Or use on the link:

 $link = get_post_meta($post_id, 'custom_link', true);
echo &#39;<a href="&#39; . esc_url($link) . &#39;">Click here</a>&#39;;

Note: The escape function should be placed in the final output place, rather than being processed in advance and stored in the database.

3. Use appropriate security hooks and function libraries

WordPress comes with many security-related functions and hooks, such as:

• Use add_query_arg() and remove_query_arg() to safely manipulate URL parameters
• Use wp_kses() or wp_kses_post() to allow partial HTML tags while filtering dangerous code
• Add check_admin_referer() and check_ajax_referer() to the form to verify the source of the request

For example, if you want the user to enter a rich text piece, you can do this:

 $content = wp_kses_post($_POST['content']);
update_post_meta($post_id, 'custom_content', $content);

This can not only preserve some basic HTML formats, but also prevent potential malicious script injection.

4. Things to note in different scenarios

• When managing the background outputting user data , it is recommended to use a strict escape method because the administrator privileges are higher.
• When outputting ordinary user content in the foreground , you can appropriately relax restrictions (such as using wp_kses() to define whitelists), but do not completely let them go.
• When splicing variables in database queries , try to use $wpdb->prepare() to prevent SQL injection.
• Avoid direct output of unprocessed $_GET or $_POST data , which is the source of many XSS vulnerabilities.

Basically that's it. Data security is not particularly complicated, but it is easily overlooked. As long as you develop the habit of "disinfecting first, then storing, then escaping and then outputting" during the development process, you can greatly improve the security of WordPress plug-ins or themes.

The above is the detailed content of How to escape and sanitize data in WordPress. For more information, please follow other related articles on the PHP Chinese website!