Menu
When I use WordPress built-in functions like
add_post_meta, update_post_meta, add_user_meta, update_user_meta
wp_insert_post, wp_insert_user
Should I do any escaping or sanitizing before passing the user-input data to these functions or these functions themselves do the trick?
here in codex Action_Reference/save_post the data is passed to update_post_meta right out of the $_POST.
780
SQL Injection in WordPress. You are secure from any SQL injection vulnerability if you are using up-to-date WordPress core files. However, when you use third-party themes and plugins, your entire application is at a risk. Your WordPress site is only as strong as its weakest link.
Your application can be vulnerable to SQL injection attacks anywhere your website has a form element (generic contact forms, login portals, blog comment forms, eCommerce checkout pages and search bars amongst others). One vulnerable form element can open up the entire database to attackers.
meta values are sanitized using sanitize_meta, post content is sanitized through wp_kses_post, etc... You can safely assume that built-in functions are secure.
56
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
