[wp-hackers] wordpress options and security
Robert Deaton
false.hopes at gmail.com
Tue Oct 18 17:09:10 GMT 2005
update_option and add_option should escape input for you:
340 function update_option($option_name, $newvalue) {
341 global $wpdb, $cache_settings;
342
343 if ( is_string($newvalue) )
344 $newvalue = trim($newvalue);
345
346 // If the new and old values are the same, no need to update.
347 if ( $newvalue == get_option($option_name) )
348 return true;
349
350 if ( is_array($newvalue) || is_object($newvalue) )
351 $newvalue = serialize($newvalue);
352
353 // If it's not there add it
354 if ( !$wpdb->get_var("SELECT option_name FROM $wpdb->options
WHERE option_name = '$option_name'") )
355 add_option($option_name);
356
357 $newvalue = $wpdb->escape($newvalue);
358 $option_name = $wpdb->escape( $option_name );
359 $wpdb->query("UPDATE $wpdb->options SET option_value =
'$newvalue' WHERE option_name = '$option_name'");
360 $cache_settings = get_alloptions(); // Re cache settings
361 return true;
362 }
On 10/18/05, Trevor Turk <trevorturk at yahoo.com> wrote:
> I hope that this is a simple question:
>
> Do we need to sanitize user input when adding/updating
> the options table in wordpress plugins? See this
> example:
>
> // setting options
> function sf_options() {
> if ( isset($_POST['sf_directory']) ) {
> $sf_directory = $_POST['sf_directory'];
> update_option('sf_directory', $sf_directory, '','');
> }
> if ( isset($_POST['sf_prefix']) ) {
> $sf_prefix = $_POST['sf_prefix'];
> update_option('sf_prefix', $sf_prefix, '','');
> }
> }
>
> In this case, I'm not doing anything like
> mysql_real_escape_string() or trim() - Do I need to?
>
> Thanks,
> - Trevor
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
--
--Robert Deaton
http://somethingunpredictable.com
More information about the wp-hackers
mailing list