halben Posted October 14, 2013 Share Posted October 14, 2013 I'm working on a WordPress website. This is in the child's function.php file. I'm just wondering if I need to sanitize when I embed strings within HTML markup. if (is_user_logged_in()) { $user = wp_get_current_user(); $fName = $user -> user_firstname; $lName = $user -> user_lastname; $items .= '<li id="user-name" title="Edit my profile" ><a href="' . site_url('/something') . '">' . $fName . ' ' . $lName . '</a></li>'; $link = '<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>'; } Do I need to sanitize $items and $link? If so, would it be this? $items .= '<li id="user-name" title="Edit my profile" >htmlspecialchars(<a href="' . site_url('/something') . '">, ENT_QUOTES)' . $firstName . ' ' . $lastName . '</a></li>'; $link = htmlspecialchars('<a href="' . wp_logout_url($redirect) . '" title="' . __('Logout') . '">' . __('Logout') . '</a>, ENT_QUOTES)'; How about this one? echo '<p>' . __('A message will be sent to your email address.') . '</p>'; to echo '<p>' . htmlspecialchars(__('A message will be sent to your email address.'), ENT_QUOTES) . '</p>'; Thanks for helping. Link to comment https://forums.phpfreaks.com/topic/282966-sanitize-data-help/ Share on other sites More sharing options...
requinix Posted October 14, 2013 Share Posted October 14, 2013 If there's a chance the value might not be safe for HTML then yes, you need to escape it. But only escape the unsafe values themselves - if you try to escape your entire string then you'll be escaping the parts too. $fName = htmlspecialchars($user->user_firstname, ENT_QUOTES, 'UTF-8'); // [1] $lName = htmlspecialchars($user->user_lastname, ENT_QUOTES, 'UTF-8'); $items .= '<li id="user-name" title="Edit my profile"><a href="' . site_url('/something') /* [2] */ . '">' . $fName . ' ' . $lName . '</a></li>'; $logout = htmlspecialchars(__('Logout'), ENT_QUOTES, 'UTF-8'); // [3] $link = '<a href="' . wp_logout_url($redirect) /* [2] */ . '" title="' . $logout . '">' . $logout . '</a>';[1] You should also specify the character encoding.[2] Probably safe. [3] Probably safe for normal HTML, but you're putting it in a title="" so you do need to worry about quotes. Link to comment https://forums.phpfreaks.com/topic/282966-sanitize-data-help/#findComment-1453914 Share on other sites More sharing options...
halben Posted October 15, 2013 Author Share Posted October 15, 2013 Thank you requinix, that was helpful. I'll definitely learn more about sql injection. Link to comment https://forums.phpfreaks.com/topic/282966-sanitize-data-help/#findComment-1453992 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.