在WordPress中使用ajax和update_post_meta()更新post_meta时如何防止注入?

时间:2017-02-21 08:41:48

标签: javascript ajax wordpress security code-injection

在WordPress中使用ajax和update_post_meta()更新post_meta时如何防止注入?我担心我网站上的用户输入容易受到注射和其他令人讨厌的东西的影响。

我是WordPress开发和Web开发的新手。

我正在构建一个系统,用户可以登录并更新有关其业务的各种信息,然后将其保存到MySQL数据库(将来我将使用来自客户端应用程序的WordPress REST API获取此数据)。因此,我构建了配置文件页面并为用户输入创建了一个表单,然后使用ajax和WordPress发送数据。 update_post_meta()函数。这是我的ajax回调:

/**
* AJAX Callback
* Always Echos and Exits
*/
function lla_update_profil_meta_callback() {

// Ensure we have the data we need to continue
if( ! isset( $_POST ) || empty( $_POST ) || ! is_user_logged_in() ) {

    // If we don't - return custom error message and exit
    header( 'HTTP/1.1 400 Empty POST Values' );
    echo 'Could Not Verify POST Values.';
    exit;
}

// Get our    current post ID
$post_id        = lla_get_post_id();     
if($post_id != null){

    //get all the values from $_POST
    $um_val         = sanitize_text_field($_POST['kategori_id'] ) ;      
    $selected_term_data = get_term((int)$um_val);
    $new_post_title = sanitize_text_field($_POST['post_title']);

    //these are the values and im guessing it should be here i protect against injection?
    $new_beskrivelse = $_POST['beskrivelse'];
    $new_telefon = $_POST['telefon'];
    $new_email = $_POST['email'];
    $new_website = $_POST['website'];
    $new_vejnavn = $_POST['vejnavn'];
    $new_husnummer = $_POST['husnummer'];
    $new_salside = $_POST['salside'];
    $new_postnummer = $_POST['postnummer'];
    $new_by = $_POST['by'];


    update_post_meta( $post_id, 'kategori_id', $um_val);
    update_post_meta($post_id, 'beskrivelse', $new_beskrivelse); 
    update_post_meta($post_id, 'telefon', $new_telefon);
    update_post_meta($post_id, 'email', $new_email);
    update_post_meta($post_id, 'website', $new_website);
    update_post_meta($post_id, 'vejnavn', $new_vejnavn);
    update_post_meta($post_id, 'husnummer', $new_husnummer);
    update_post_meta($post_id, 'salside', $new_salside);
    update_post_meta($post_id, 'postnummer', $new_postnummer);
    update_post_meta($post_id, 'by', $new_by);

    //make sure the category chosen is updated in the backend aswell
    wp_set_object_terms($post_id, (int)$um_val, $selected_term_data->taxonomy, false);
    //updating post-title
    $my_post = array(
      'ID'           => $post_id,
      'post_title'   => $new_post_title,
      'post_name' => $new_post_title,
    );
    wp_update_post($my_post);

}else{
    echo "no post";
}
exit;
}
add_action( 'wp_ajax_nopriv_um_cb', 'lla_update_profil_meta_callback' );
add_action( 'wp_ajax_um_cb', 'lla_update_profil_meta_callback' );

如何让这更安全?

1 个答案:

答案 0 :(得分:0)

使用以下功能:

esc_sql();
esc_attr();
esc_html();

另见Validating Sanitizing and Escaping User Data
例如:

$new_beskrivelse = esc_sql($_POST['beskrivelse']);
$new_telefon = esc_sql($_POST['telefon']);
$new_email = esc_sql($_POST['email']);
$new_website = esc_sql($_POST['website']);
相关问题
最新问题