admin管理员组

文章数量:1434924

I'm using the following custom plugin to count the number of members in the MemberPress database:

function display_member_count( $atts ) {

    global $wpdb;
    $sql = "SELECT COUNT(`meta_key`) as count FROM `wp_usermeta` WHERE `meta_key` = 'mepr-address-state' && `meta_value` = '" . $atts[0] . "';";
    $myrows = $wpdb->get_results($sql);
    $member_count = $myrows[0]->count;

    return $member_count;
}

add_shortcode( 'member-count', 'display_member_count' );

I would then use the shortcode [member-count nsw] to display the number of members in NSW.

Do I need to sanitize $atts? If so, how please?

Help appreciated.

I'm using the following custom plugin to count the number of members in the MemberPress database:

function display_member_count( $atts ) {

    global $wpdb;
    $sql = "SELECT COUNT(`meta_key`) as count FROM `wp_usermeta` WHERE `meta_key` = 'mepr-address-state' && `meta_value` = '" . $atts[0] . "';";
    $myrows = $wpdb->get_results($sql);
    $member_count = $myrows[0]->count;

    return $member_count;
}

add_shortcode( 'member-count', 'display_member_count' );

I would then use the shortcode [member-count nsw] to display the number of members in NSW.

Do I need to sanitize $atts? If so, how please?

Help appreciated.

  • plugin-development
  • sanitization
Share Improve this question asked Mar 30, 2019 at 7:54 SteveSteve 1,77719 gold badges67 silver badges115 bronze badges
Add a comment  | 

1 Answer 1

Reset to default 0

Of course you do have to sanitize it and escape it.

Otherwise any author/editor of the site will be able to perform any query on your database.

First of all you should never create SQL queries like you do in your code. Never concatenate the raw SQL with anything that is variable or comes from user.

You should use $wpdb->prepare for that.

So your code should look more like that:

$sql = "SELECT COUNT(meta_key) as count FROM {$wpdb->usermeta} WHERE meta_key = %s && meta_value = %s";
    $member_count = $wpdb->get_var( $wpdb->prepare( $sql, 'mepr-address-state', $atts[0] ) );

As you can see, there is also no point in getting all rows (there’s only one) and there’s no point in getting all columns (there also is only one).

That’s the escaping part that will save you from SQL injections.

But yes - most likely you should also put some validation in there - but it depends on what are the available values for that param.

本文标签: plugin developmentdo I need to sanitize a shortcode39s function input

版权声明:本文标题:plugin development - do I need to sanitize a shortcode's function input? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745644309a2668042.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。