David Writes on Insecure PHP and WordPress Functions for Smashing Magazine
Your first million dollars. The game-winning catch. A guest post in Smashing Magazine. These are life’s moments of pure success, and David had one of them this week. We’ll keep you posted on the other two.
The article is on PHP functions—including a number of WordPress-only functions—that, by their nature, are potential security vulnerabilities. It’s (as usual) excellent and non-obvious technical writing. The biggest surprise for me was the issues with the
extract() function, which I often use (following the Codex code demos, I believe) to extract shortcode arguments into variables of the same name. The list of need-to-knows for select WordPress functions—personal favorite is that
esc_sql() doesn’t secure you from SQL injection, yikes—is also invaluable.
Check it out! You’ll learn about secure code in both WordPress and PHP more broadly, and you’ll be able to say you knew David before he was a millionaire making the game-winning catch.
And if you want more on WordPress security from that Smashing mind, here’s your chance:
Want to Really Understand WordPress Security?WordPress Security with Confidence is our comprehensive guide to WordPress security.
Starting with general security principles, and advancing to very specific actionable steps, we explain all the details you need to understand in clear, jargon-free language. It’s your essential companion on WordPress security.
Become an absolute expert, and gain the confidence that you’re doing WordPress security right.