Sanitization in wordpress plugin

0
votes

I wrote a wordpress plugin but wordpress.org rejected it due to sanitization. According to wordpress:

"## Please sanitize your POST calls

You are not properly sanitizing your POST/GET/REQUEST calls.

All instances where $_POST data is inserted into the database, or into a file, MUST be properly sanitized for security. This also holds true for $_REQUEST calls that are processed. In addition, by sanitizing your POST data, you will lessen the possibility of XSS vulnerabilities.

Using stripslashes is not enough, you need to use the Input Validation methods, or things similar, to protect your plugin. The ultimate goal is that you should ensure that invalid data is NEVER processed."

Can some help me here to add one filter code which can sanitize all my $_POST requests, or any other way?

Thanks!

1
phpwordpresspluginssanitization

1 Answers

1
votes

Proper protection instead of Sanitation

Input sanitation is not the correct approach to security. It might be used additionally to the proper protection mechanisms, but not on it's own.

There isn't one filter that can sanitize every input. If security would be that easy, every website would be secure.

For example, to prevent SQL injection, you need to use prepared statements when inserting data into the database.

And for XSS, you have to encode characters before printing them.

So not only do these two attacks require different actions to defend against them, they are also prevented at different times.

For WordPress, these articles should help you:

Sanitation

Ok, but WordPress asked you for proper sanitation. I could imagine that they just phrased it badly, and meant that you should protect against XSS and SQL injection.

If you do want to add sanitation (in addition to - not instead of - prepared statements and encoding), check out these links: