Query on Security

  • Hi I am using the following code to screen variables prior to going into a database table.

    I was just wondering if I have done it correctly or if there was a better way of doing it:

    // Run variable input through filters

$first_name = sanitize_text_field( $_POST['first_name'] );
$first_name = check_input( $first_name);

$family_name = sanitize_text_field( $_POST['family_name'] );
$family_name = check_input( $family_name, "Please Enter a Family Name");

$sex = sanitize_text_field( $_POST['sex'] );
$sex = check_input( $sex, "Please Enter The Sex of the New Person");

$date_of_birth = sanitize_text_field( $_POST['date_of_birth'] );
$date_of_birth = check_input( $date_of_birth);

$date_of_death = sanitize_text_field( $_POST['date_of_death'] );
$date_of_death = check_input( $date_of_death);

include ('tablename.php');

$wpdb->insert($table_name,array('first_name'=>$first_name,'family_name'=>$family_name,'sex'=>$sex, 'date_of_birth'=>$date_of_birth, 'date_of_death'=>$date_of_death,'family_id'=>$family_name.$n));

function check_input($data, $problem='')
{
    $data = strip_tags($data);
	$data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);

    if ($problem && strlen($data) == 0)
    {
        die($problem);
    }
    return $data;
}

include ('auto_new_page.php');
$wpdb->insert($table_name,array('person_id'=>$id));
Viewing 3 replies - 1 through 3 (of 3 total)

  • I think sanitize_text_field() already does what your check_input() function is doing (i.e., stripping tags and the like). That said, I don’t think you’re safe from SQL injection attacks using just the methods above.

    You might want to check out some examples of common exploits to see the kind of stuff you want to filter out. Wikipedia has a good introduction here:

    https://en.wikipedia.org/wiki/SQL_injection

    That said, you’re probably thinking “Hey, I value my time. I just want to insert some data into a table, not become an security expert!” If so, then I completely agree.

    The simplest way to protect your database is to filter each input specifically to suit type of data you expect. So, if you’re expecting a date in the format of “YYYY-MM-DD”, then it better arrive as “2013-04-05” and not “2013/04/05” or “Hello World”.

    But unless I’ve missed something in the documentation, WordPress doesn’t offer anything that specific. So, I like to use the PHP sanitize and filter functions for more fine-grained control over input validation:

    https://php.net/manual/en/filter.filters.sanitize.php
    https://www.php.net/manual/en/filter.filters.validate.php

    If you use those you should be ok, especially with FILTER_VALIDATE_REGEXP.

    Actually, I may be wrong. It appears $wpdb->insert() and $wpdb->update() have some security mechanisms built in.

    However, I still recommend the PHP sanitize and validate functions for data integrity, if nothing else.

    Also, the way you were placing the variables directly into your SQL string in your previous question could be susceptible to SQL injection attacks:

    "SELECT marriage_id FROM $table_name2 WHERE person_id = id and spouse_id = $spouse_id"

    It’s best to do the fine-grained validation and sanitizing yourself rather than relying on any generic string cleanup methods or magic provided by WordPress behind the scenes.

    Moderator bcworkz

    (@bcworkz)

    It appears $wpdb->insert() and $wpdb->update() have some security mechanisms built in.

    Yes this is correct for these particular methods, but other $wpdb methods do not have such mechanisms and should be passed at a minimum through $wpdb->prepare(), which is more or less a fancy addslashes(). One needs to carefully examine the documentation and source to be sure, never assume.

    WP also has several more specific sanitization functions for common data types, they are usually named following the form sanitize_*(), for example sanitize_text_field().

    bcwp is correct in that one should sanitize and validate specific data as precisely as possible for any given situation, but options are available if one is unwilling or unable to be that detailed.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Query on Security’ is closed to new replies.

Tags