Friday, January 27, 2023
HomeWordPress Developmentsanitization - Escaping information from database (customers desk) is critical?

sanitization – Escaping information from database (customers desk) is critical?


I’ve submitted a plugin for evaluation and it was not accepted because it wants some fixes with information sanitization and escaping.

One of many flagged examples was this line:

echo "<choice worth="$result->ID" $chosen>$result->display_name</choice>n";

(I am guessing due to this worth: $result->display_name)

third to final line of this operate:

operate get_users_with_role( $roles, $current_selected ) {

  world $wpdb;
  if ( ! is_array( $roles ) )
      $roles = array_walk( explode( ",", $roles ), 'trim' );
  $sql="
      SELECT  ID, display_name
      FROM        " . $wpdb->customers . ' INNER JOIN ' . $wpdb->usermeta . '
      ON          ' . $wpdb->customers . '.ID             =       ' . $wpdb->usermeta . '.user_id
      WHERE       ' . $wpdb->usermeta . '.meta_key        =       '' . $wpdb->prefix . 'capabilities'
      AND     (
  ';
  $i = 1;
  foreach ( $roles as $position ) {
      $sql .= ' ' . $wpdb->usermeta . '.meta_value    LIKE    '%"' . $position . '"%' ';
      if ( $i < rely( $roles ) ) $sql .= ' OR ';
      $i++;
  }
  $sql .= ' ) ';
  $sql .= ' ORDER BY display_name ';

  $outcomes = $wpdb->get_results( $sql);
  foreach ($outcomes as $outcome){

      $chosen = null;

      if($result->ID == $current_selected){
        $chosen = "chosen ="chosen"";
      }

      echo "<choice worth="$result->ID" $chosen>$result->display_name</choice>n";
    }
}

Do we actually want to flee the information that was already entered within the WP database, particularly usernames and their integer ids?

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

- Advertisment -
Google search engine

Most Popular

Recent Comments