在 WordPress 中使用 ajax 和 update_post_meta() 更新 post_meta 时如何防止注入?
How can i protect against injection when updating the post_meta using ajax and update_post_meta() in WordPress?
在 WordPress 中使用 ajax 和 update_post_meta() 更新 post_meta 时如何防止注入?我担心我网站上的用户输入会使其容易受到注入和其他我想不到的讨厌的东西的攻击。
我是 WordPress 开发和 Web 开发的新手。
我正在构建一个系统,用户可以在其中登录并更新有关其业务的各种信息,然后将这些信息保存到 MySQL 数据库中(将来我将使用 WordPress REST API 来自客户端应用程序)。所以我构建了个人资料页面并为用户输入制作了一个表单,然后使用 ajax 和 WordPress 的 update_post_meta() 函数发送数据。这是我的 ajax 回调:
/**
* AJAX Callback
* Always Echos and Exits
*/
function lla_update_profil_meta_callback() {
// Ensure we have the data we need to continue
if( ! isset( $_POST ) || empty( $_POST ) || ! is_user_logged_in() ) {
// If we don't - return custom error message and exit
header( 'HTTP/1.1 400 Empty POST Values' );
echo 'Could Not Verify POST Values.';
exit;
}
// Get our current post ID
$post_id = lla_get_post_id();
if($post_id != null){
//get all the values from $_POST
$um_val = sanitize_text_field($_POST['kategori_id'] ) ;
$selected_term_data = get_term((int)$um_val);
$new_post_title = sanitize_text_field($_POST['post_title']);
//these are the values and im guessing it should be here i protect against injection?
$new_beskrivelse = $_POST['beskrivelse'];
$new_telefon = $_POST['telefon'];
$new_email = $_POST['email'];
$new_website = $_POST['website'];
$new_vejnavn = $_POST['vejnavn'];
$new_husnummer = $_POST['husnummer'];
$new_salside = $_POST['salside'];
$new_postnummer = $_POST['postnummer'];
$new_by = $_POST['by'];
update_post_meta( $post_id, 'kategori_id', $um_val);
update_post_meta($post_id, 'beskrivelse', $new_beskrivelse);
update_post_meta($post_id, 'telefon', $new_telefon);
update_post_meta($post_id, 'email', $new_email);
update_post_meta($post_id, 'website', $new_website);
update_post_meta($post_id, 'vejnavn', $new_vejnavn);
update_post_meta($post_id, 'husnummer', $new_husnummer);
update_post_meta($post_id, 'salside', $new_salside);
update_post_meta($post_id, 'postnummer', $new_postnummer);
update_post_meta($post_id, 'by', $new_by);
//make sure the category chosen is updated in the backend aswell
wp_set_object_terms($post_id, (int)$um_val, $selected_term_data->taxonomy, false);
//updating post-title
$my_post = array(
'ID' => $post_id,
'post_title' => $new_post_title,
'post_name' => $new_post_title,
);
wp_update_post($my_post);
}else{
echo "no post";
}
exit;
}
add_action( 'wp_ajax_nopriv_um_cb', 'lla_update_profil_meta_callback' );
add_action( 'wp_ajax_um_cb', 'lla_update_profil_meta_callback' );
我怎样才能使它更安全?
使用如下函数:
esc_sql();
esc_attr();
esc_html();
另见 Validating Sanitizing and Escaping User Data
示例:
$new_beskrivelse = esc_sql($_POST['beskrivelse']);
$new_telefon = esc_sql($_POST['telefon']);
$new_email = esc_sql($_POST['email']);
$new_website = esc_sql($_POST['website']);
在 WordPress 中使用 ajax 和 update_post_meta() 更新 post_meta 时如何防止注入?我担心我网站上的用户输入会使其容易受到注入和其他我想不到的讨厌的东西的攻击。
我是 WordPress 开发和 Web 开发的新手。
我正在构建一个系统,用户可以在其中登录并更新有关其业务的各种信息,然后将这些信息保存到 MySQL 数据库中(将来我将使用 WordPress REST API 来自客户端应用程序)。所以我构建了个人资料页面并为用户输入制作了一个表单,然后使用 ajax 和 WordPress 的 update_post_meta() 函数发送数据。这是我的 ajax 回调:
/**
* AJAX Callback
* Always Echos and Exits
*/
function lla_update_profil_meta_callback() {
// Ensure we have the data we need to continue
if( ! isset( $_POST ) || empty( $_POST ) || ! is_user_logged_in() ) {
// If we don't - return custom error message and exit
header( 'HTTP/1.1 400 Empty POST Values' );
echo 'Could Not Verify POST Values.';
exit;
}
// Get our current post ID
$post_id = lla_get_post_id();
if($post_id != null){
//get all the values from $_POST
$um_val = sanitize_text_field($_POST['kategori_id'] ) ;
$selected_term_data = get_term((int)$um_val);
$new_post_title = sanitize_text_field($_POST['post_title']);
//these are the values and im guessing it should be here i protect against injection?
$new_beskrivelse = $_POST['beskrivelse'];
$new_telefon = $_POST['telefon'];
$new_email = $_POST['email'];
$new_website = $_POST['website'];
$new_vejnavn = $_POST['vejnavn'];
$new_husnummer = $_POST['husnummer'];
$new_salside = $_POST['salside'];
$new_postnummer = $_POST['postnummer'];
$new_by = $_POST['by'];
update_post_meta( $post_id, 'kategori_id', $um_val);
update_post_meta($post_id, 'beskrivelse', $new_beskrivelse);
update_post_meta($post_id, 'telefon', $new_telefon);
update_post_meta($post_id, 'email', $new_email);
update_post_meta($post_id, 'website', $new_website);
update_post_meta($post_id, 'vejnavn', $new_vejnavn);
update_post_meta($post_id, 'husnummer', $new_husnummer);
update_post_meta($post_id, 'salside', $new_salside);
update_post_meta($post_id, 'postnummer', $new_postnummer);
update_post_meta($post_id, 'by', $new_by);
//make sure the category chosen is updated in the backend aswell
wp_set_object_terms($post_id, (int)$um_val, $selected_term_data->taxonomy, false);
//updating post-title
$my_post = array(
'ID' => $post_id,
'post_title' => $new_post_title,
'post_name' => $new_post_title,
);
wp_update_post($my_post);
}else{
echo "no post";
}
exit;
}
add_action( 'wp_ajax_nopriv_um_cb', 'lla_update_profil_meta_callback' );
add_action( 'wp_ajax_um_cb', 'lla_update_profil_meta_callback' );
我怎样才能使它更安全?
使用如下函数:
esc_sql();
esc_attr();
esc_html();
另见 Validating Sanitizing and Escaping User Data
示例:
$new_beskrivelse = esc_sql($_POST['beskrivelse']);
$new_telefon = esc_sql($_POST['telefon']);
$new_email = esc_sql($_POST['email']);
$new_website = esc_sql($_POST['website']);