Sanitary URLs inserted into WordPress MySQL database
I am writing a plugin for Wordpress where I have my own custom table to store the relevant data retrieved from a remote API. One of the items I need to keep is the url, which is a TEXT field in my database.
Since I've seen numerous comments saying not to use standard features mysql_
or mysqli_
in Wordpress plugins, I'm wondering what is the best way to avoid the URL before embedding it? Is using esc_url () enough or is there anything else I should have done before?
case "Create":
{
$tag = $_POST['product_tag'];
$name = $_POST['product_name'];
$asin = $_POST['product_id'];
$response = getPrice("com", $asin);
$result = $wpdb->insert( $table_name, array(
'tag' => $tag,
'name' => $name,
'asin' => $asin,
'price' => $response['price'],
'url' => esc_url($response['url'])
));
if ($result !== FALSE)
echo "Successfully inserted new Amazon Product.";
else
echo "An Error occurred.";
break;
}
Usually you just paste the url as it is in your database and only care about security issues when submitting it. This of course assumes that you are doing everything right, as if you were here, where you were explicitly calling a function insert
with data sent as an associative array.
The real risk is people bypass WPDB and insert things directly and often badly using string concatenation.
Call esc_url
when displaying these values. Since you can change which URL is allowed from time to time, restrict or open them as your needs change, it is best to store them in a database and prepare them for display on a case-by-case basis.
source to share