Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>plugin development - do I need to sanitize a shortcode's function input?

    plugin development - do I need to sanitize a shortcode's function input?

    matteradmin6PV0评论

    I'm using the following custom plugin to count the number of members in the MemberPress database:

    function display_member_count( $atts ) {

    global $wpdb;
    $sql = "SELECT COUNT(`meta_key`) as count FROM `wp_usermeta` WHERE `meta_key` = 'mepr-address-state' && `meta_value` = '" . $atts[0] . "';";
    $myrows = $wpdb->get_results($sql);
    $member_count = $myrows[0]->count;

    return $member_count;
}

add_shortcode( 'member-count', 'display_member_count' );

    I would then use the shortcode [member-count nsw] to display the number of members in NSW.

    Do I need to sanitize $atts? If so, how please?

    Help appreciated.

    I'm using the following custom plugin to count the number of members in the MemberPress database:

    function display_member_count( $atts ) {

    global $wpdb;
    $sql = "SELECT COUNT(`meta_key`) as count FROM `wp_usermeta` WHERE `meta_key` = 'mepr-address-state' && `meta_value` = '" . $atts[0] . "';";
    $myrows = $wpdb->get_results($sql);
    $member_count = $myrows[0]->count;

    return $member_count;
}

add_shortcode( 'member-count', 'display_member_count' );

    I would then use the shortcode [member-count nsw] to display the number of members in NSW.

    Do I need to sanitize $atts? If so, how please?

    Help appreciated.

    • plugin-development
    • sanitization
    Share Improve this question asked Mar 30, 2019 at 7:54 SteveSteve 1,77719 gold badges67 silver badges115 bronze badges
    Add a comment  | 

    1 Answer 1

    Reset to default 0

    Of course you do have to sanitize it and escape it.

    Otherwise any author/editor of the site will be able to perform any query on your database.

    First of all you should never create SQL queries like you do in your code. Never concatenate the raw SQL with anything that is variable or comes from user.

    You should use $wpdb->prepare for that.

    So your code should look more like that:

    $sql = "SELECT COUNT(meta_key) as count FROM {$wpdb->usermeta} WHERE meta_key = %s && meta_value = %s";
    $member_count = $wpdb->get_var( $wpdb->prepare( $sql, 'mepr-address-state', $atts[0] ) );

    As you can see, there is also no point in getting all rows (there’s only one) and there’s no point in getting all columns (there also is only one).

    That’s the escaping part that will save you from SQL injections.

    But yes - most likely you should also put some validation in there - but it depends on what are the available values for that param.

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far