_GET variable security with query_posts? | ww.wp.xz.cn

cmunns
(@cmunns)

14 years, 7 months ago
I am using a form to find all custom field values of a particular key. This form is submitted and I use _GET to pass the value in query_posts.

Are there any security concerns with doing this? In this case it’s a dropdown select value that is getting found, but if I’m using text input should I use strip_tags or something like that to sanitize the input?

Here is an example…
```
if (!empty($_GET["property_type"])) {
     $ty = $_GET["property_type"];
} else {
    $ty = "";
}
```
```
query_posts( array(
		'posts_per_page' => -1,
		'meta_query' => array(
			array(
		                    'key' => 'property_type',
		                    'value' => $ty,
		                    'compare' => 'LIKE'
		                ),
			),
));
```

Viewing 1 replies (of 1 total)

Jon Dingman
(@jdingman)

13 years, 10 months ago

Without sanitizing your $_GET, you are leaving yourself open to XSS attacks.

WordPress has some good documentation around Data Validation.

Viewing 1 replies (of 1 total)

The topic ‘_GET variable security with query_posts?’ is closed to new replies.

Tags

1 reply
2 participants
Last reply from: Jon Dingman
Last activity: 13 years, 10 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics