Upload
john-ford
View
104
Download
0
Tags:
Embed Size (px)
DESCRIPTION
The WordPress Plugin & Theme Security presentation at WordCamp Melbourne February 2011.
Citation preview
Plugin & Theme
Securityhttp://johnford.is/
@iamjohnford
SQL Injection
BAD
$wpdb->query("UPDATE $wpdb->posts SET post_title = '$new_title' WHERE ID = $id");
BAD
$wpdb->query("SELECT * FROM $wpdb->usersWHERE user_login = '$username'AND user_pass = '$password'");
BAD
$username = "' OR 1 -- ";$wpdb->query("SELECT * FROM $wpdb->users WHERE user_login = '$username' AND user_pass = '$password'");
BAD
$wpdb->query("SELECT * FROM $wpdb->usersWHERE user_login = '' OR 1 -- ' AND user_pass = '$password'");
GOOD
$wpdb->update()
GOOD
$wpdb->update( $wpdb->posts, array( 'post_title' => $new_title ), array( 'ID' => $id ));
GOOD
$wpdb->insert( $table, $data );
GOOD
$wpdb->prepare()
GOOD
$wpdb->prepare( "SELECT * FROM $wpdb->posts WHERE post_name = %s OR ID = %d", $some_name, $some_id);
http://codex.wordpress.org/Function_Reference/
wpdb_Class
XSSCross-site Scripting
BAD
<h1> <?php echo $title; ?></h1>
BAD
$title = '<script>jsCode();</script>';<h1> <?php echo $title; ?></h1>
GOOD
<h1> <?php echo esc_html( $title ); ?></h1>
esc_attr_e()
BAD
<a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a>
BAD
<?php $title = '" onmouseover="jsCode();'; ?><a href="#wordcamp" title="<?php echo $title; ?>"> Link Text</a>
GOOD
<a href="#wordcamp" title="<?php echo esc_attr( $title ); ?>"> Link Text</a>
GOOD
esc_textarea()
BAD
<a href="<?php echo $url; ?>">Link Text</a>
BAD
<?php $url = 'javascript:jsCode();'; ?><a href="<?php echo $url; ?>"> Link Text</a>
GOOD
<a href="<?php echo esc_url( $url ); ?>"> Link Text</a>
BAD
<form action="<?php echo $_SERVER['REQUEST_URI']; ?>">
GOOD
<form action="<?php echo esc_url( $_SERVER['REQUEST_URI'] ); ?>">
BAD
<script> var foo = '<?php echo $unsafe; ?>';</script>
GOOD
<script> var foo = '<?php echo esc_js( $unsafe ); ?>';</script>
GOOD
wp_filter_kses( $data )
http://codex.wordpress.org/Data_Validation
CSRFCross-site Request Forgery
Noncesaction-, object-, & user-specific
time-limited secret keys
GOOD
wp_nonce_field( 'plugin-action_object' )
GOOD
check_admin_referer( 'plugin-action_object' )
http://codex.wordpress.org/WordPress_Nonces
eval() = evil
Thank you!http://johnford.is/
@iamjohnford