I am creating a WordPress page that searches through posts based on a date variable that is set through a _GET variable. I want to make sure that I am doing this in the best way possible and that I sanitize the input correctly, I haven’t worked with sanitizing php much. Here is the code I have and it functions properly. The format I need the variable in is “Monday December 17 2012” Is there more I should be doing to sanitize the GET variable? Let me know if I need to explain anything further. Thanks in advance!
if ( isset ( $_GET['new_date'] ) ) {
$display_date =$_GET['new_date'];
} else {
$display_date = date( 'l F j Y');
}
$next_date = date('l F j Y', strtotime('+1 Day', strtotime($display_date) ) ) ;
$prev_date = date('l F j Y', strtotime('-1 Day', strtotime($display_date) ) ) ;
?>
<div class="large-date">
<h1><?php echo $display_date ; ?></h1>
<a class="prev-day" href="<?php echo $_SERVER['PHP_SELF'] . '?new_date=' . urlencode($prev_date);?>"><?php echo $prev_date; ?></a>
<a class="next-day" href="<?php echo $_SERVER['PHP_SELF'] . '?new_date=' . urlencode($next_date);?>"><?php echo $next_date; ?></a>
strtotimewill return false if you give it weird information.However, if you do what you are doing and nest two statement you may not get what you expect.
And
datereturns the beginning of the universe, the day of creation– January 1, 1970– if given weird data.So, I don’t think you really have a sanitization issue, but it may not work the way you want.
That said, I’d strip every character that should not be in the date string, just in case. Maybe…
That will go a long way toward crippling injections, but won’t give you sane dates.
I don’t see anywhere that you are sending anything to the DB. You shouldn’t be sanitizing your page output (though sanitizing output is good) and expecting it to carry over to when the form processes or the link gets clicked. You should be sanitizing this just before the query runs (and using
prepare) but I don’t see that part of the code at all.