Does WP force plugin developers to use core WP functions?

  • Resolved berkeleypunk

    (@berkeleypunk)


    4 years, 5 months ago

    I am interested in the security of the plugins offered at https://es-mx.ww.wp.xz.cn/plugins/.
    I am interested to know if developers are required to use the official WordPress database development functions, for example:

      esc_sql ()
      $ wpdb-> get_results ()
      $ wpdb-> get_col ()
      $ wpdb-> terms ()

    Does WordPress review the plugin code and reject the code that uses raw SQL, accepting to have communication with the database, only from the functions/methods that WP itself provides?

    What if a developer decides to use only raw SQL, not parameterized, does WP allow it?

    I can’t find information on this in the “Detailed Plugin Guidelines”: https://developer.ww.wp.xz.cn/plugins/wordpress-org/detailed-plugin-guidelines/

Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    4 years, 5 months ago

    Developers are required to do things safely and securely. We would RATHER you do that via the WordPress functions, but if you really want to do something in pure SQL, as long as it’s safe it’s allowed.

    profesorberkeley

    (@profesorberkeley)

    4 years, 5 months ago

    @ipstenu Thank you very much for answering.

    I would like to be a bit more specific. Let’s imagine that a developer used a code similar to this:

    $id = $_POST['id'];
$query = "SELECT * FROM mytable WHERE id=$id";

    This code is totally insecure, since it does not sanitize the value from the client (the ID), and it does not parameterize the value within the query.

    Could you tell me what is the ordinary response of WP towards similar practices?
    What if a developer submits this within their plugin to be reviewed by the WP team?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    4 years, 5 months ago

    Well no, we would kick them for not sanitizing. But that’s a different matter.

    You asked about not using WP functions, that’s NOT required as long as your code is SECURE, as I said.

    Developers are required to do things safely and securely.

    If you have a specific question about a specific plugin, you can email everything to [email protected] and someone will answer with details.

    Also we don’t generally approve of people using multiple accounts.

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Does WP force plugin developers to use core WP functions?’ is closed to new replies.

Tags