Do I need to prepare strings against MySQL Injection when inserting into the database using a WordPress comments function such as this:
$data = array(
'comment_post_ID' => $post_id,
'comment_author' => $comment_author,
'comment_author_email' => $comment_email,
'comment_content' => $comment_body,
'comment_type' => '',
'comment_parent' => 0,
'user_id' => 1,
'comment_author_IP' => '127.0.0.1',
'comment_agent' => 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 (.NET CLR 3.5.30729)',
'comment_date' => $time,
'comment_approved' => 1,
);
wp_insert_comment($data);
Update:
From this page it seams as though it handles all of this, but doesn’t strip HTML/PHP tags; is this in itself worth stripping on a purely security basis?
Higher-level API functions like this in WP typically do the
$wpdb->prepare()call to protect against MySQL injections.As for content by default comments do allow HTML, however it isn’t just anything. If you examine
default-filters.phpthere are quite a few sanitizing functions hooked to processing comment data, includingwp_kses_post()which limits HTML to white listed subset.