Does update_post_meta() use sql prepared statements?

  • Resolved agm285

    (@agm285)


    9 years, 9 months ago

    I have a custom-post field in which I want to allow user to save html code. (The post defines an upcoming concert, and paypal supplies the pay button code. I want the client to simply paste that into the concert form.) If I sanitize the field before saving I lose the tags.

    The doc says to be careful about saving user input. Validate and sanitize. It also says (I recall seeing) that you should use prepared statements when saving data. Does that apply to calls to update_post_meta, which is what I’m using? (How would I do that?) Or is it referring only to any new functions I create that make calls to the database?

    And is it less important when we’re talking about the dashboard, as opposed to public comments on the site?

Viewing 4 replies - 1 through 4 (of 4 total)
  • Jon (Kenshino)

    (@kenshino)

    Lord Jon

    What you should do is to sanitise the field using wp_kses. (Allows you to define the allowed html tags)

    If you want to allow the standard tags that the WP Editor (TinyMCE) accepts, you can use wp_kses_post

    Thread Starter agm285

    (@agm285)

    It’s not really so much a question of preventing certain tags. I’m wondering whether the string entered in the field is stored in the database using a prepared statement. If not, I don’t think preventing certain tags is going to make it safe!

    On the other hand, this is just a text entry. Maybe injection attack doesn’t work here.

    As it says on the codex page for update_post_meta():

    The new value of the custom field. A passed array will be serialized into a string.(this should be raw as opposed to sanitized for database queries)

    So any values that you pass to it do not need to be escaped or serialized or anything else. Just pass in the values and WordPress will deal with it.

    Thread Starter agm285

    (@agm285)

    Thanks!

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Does update_post_meta() use sql prepared statements?’ is closed to new replies.