David Writes on Insecure PHP and WordPress Functions for Smashing Magazine
Your first million dollars. The game-winning catch. A guest post in Smashing Magazine. These are life’s moments of pure success, and David had one of them this week. We’ll keep you posted on the other two.
The article is on PHP functions—including a number of WordPress-only functions—that, by their nature, are potential security vulnerabilities. It’s (as usual) excellent and non-obvious technical writing. The biggest surprise for me was the issues with the
extract() function, which I often use (following the Codex code demos, I believe) to extract shortcode arguments into variables of the same name. The list of need-to-knows for select WordPress functions—personal favorite is that
esc_sql() doesn’t secure you from SQL injection, yikes—is also invaluable.
Check it out! You’ll learn about secure code in both WordPress and PHP more broadly, and you’ll be able to say you knew David before he was a millionaire making the game-winning catch.