_GET variable security with query_posts? (2 posts)

  1. cmunns
    Posted 3 years ago #

    I am using a form to find all custom field values of a particular key. This form is submitted and I use _GET to pass the value in query_posts.

    Are there any security concerns with doing this? In this case it's a dropdown select value that is getting found, but if I'm using text input should I use strip_tags or something like that to sanitize the input?

    Here is an example...

    if (!empty($_GET["property_type"])) {
         $ty = $_GET["property_type"];
    } else {
        $ty = "";
    query_posts( array(
    		'posts_per_page' => -1,
    		'meta_query' => array(
    		                    'key' => 'property_type',
    		                    'value' => $ty,
    		                    'compare' => 'LIKE'
  2. Jonathan Dingman
    Posted 3 years ago #

    Without sanitizing your $_GET, you are leaving yourself open to XSS attacks.

    WordPress has some good documentation around Data Validation.

Topic Closed

This topic has been closed to new replies.

About this Topic