BEFORE sending any data to the database, you first want to validate that data and then sanitize it. Why? To protect the integrity of the data. Before we save, we check that the data is what we think it should be. That’s the validation part of the process. Then we run it through a sanitizer process to strip out anything that shouldn’t be there, including nefarious bad stuff that could cause an expected and potentially dangerous experience in the browser.
Let me show you in this episode what happens if a script gets stored into the database and then it’s sent directly out to the browser without validation, sanitizing, or escaping.
It’s Your Job to Secure the Data
It’s your job as the developer to secure the data to protect the website, database, and the viewer/user/admin/you. Period. Listen to me. That’s your job.
Make sure you do these steps:
- Validate the raw data coming from a form.
- Sanitize BEFORE saving to the database.
- Escape the data BEFORE rendering out to the browser. And do it late, meaning within the VIEW file or rendering function that calls the view file.
If you listen carefully, you can hear the 1s and 0s flowing in your computer.
Total Lab Runtime: 02:21:18
- 1 Lab Introductionfree 07:20
- 2 What is a Meta Box?free 07:28
- 3 Add a New Meta Boxpro 11:46
- 4 Meta Box HTMLpro 18:39
- 5 Save Process & $_POSTfree 12:33
- 6 Bail Out if Not Our Meta Boxpro 05:03
- 7 Nonce Security Checkpro 10:16
- 8 On Save - Update or Delete Custom Field?pro 12:03
- 9 Validate & Sanitize BEFORE Updating Databasefree 14:41
- 10 Add Another Custom Fieldpro 08:49
- 11 Making Save Easier with $_POST Keypro 05:32
- 12 Better Saving Strategy for Multiple Custom Fieldspro 14:47
- 13 Changing Where Meta Box Appearspro 06:02
- 14 Passing Arguments to Renderpro 02:18
- 15 Wrap & Making it Reusablepro 04:01