If I use the wp_insert_post in a plugin, will I have to check the content for SQL injection problems and XSS or will the wp_insert_post function do this for me?
Leave a Reply
You must be logged in to post a comment.
If I use the wp_insert_post in a plugin, will I have to check the content for SQL injection problems and XSS or will the wp_insert_post function do this for me?
You must be logged in to post a comment.
The short answer; absolutely.
wp_insert_post()
will only SQL escape the content. Use the KSES library & wp_kses() to filter out the nasties, oresc_html()
to escape all HTML.Most importantly, check out the codex on data validation (read: sanitization).
A Note On KSES: Use wp_filter_kses() or
wp_kses_data()
to apply the same KSES rules as post comments. The subtle difference between the two is the former expects data escaped with slashes (and returns the same), whilst the latter does not.WordPress (bizarrely) enforces magic quotes, so
$_POST
,$_GET
(and the like) will have escape slashes added by default.A Note On wp_insert_post(): This function also expects the data array to have slashes added, so you’ll need to sanitize it with add_magic_quotes() if that’s not the case.
Update: And put in practice;