Support » Plugins and Hacks » _GET variable security with query_posts?

  • I am using a form to find all custom field values of a particular key. This form is submitted and I use _GET to pass the value in query_posts.

    Are there any security concerns with doing this? In this case it’s a dropdown select value that is getting found, but if I’m using text input should I use strip_tags or something like that to sanitize the input?

    Here is an example…

    if (!empty($_GET["property_type"])) {
         $ty = $_GET["property_type"];
    } else {
        $ty = "";
    }
    query_posts( array(
    		'posts_per_page' => -1,
    		'meta_query' => array(
    			array(
    		                    'key' => 'property_type',
    		                    'value' => $ty,
    		                    'compare' => 'LIKE'
    		                ),
    			),
    ));
Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘_GET variable security with query_posts?’ is closed to new replies.