Support » Fixing WordPress » wp_user_query question

  • Hey all – I just had a quick question. I’m using WP_User_Query for something in one of my template files, and I need to pass a variable from my url in the address bar to the query. I’ve got that working fine – but I’m curious: does the WP_User_query *clean* the stuff hat’s passed? I don’t want someone to inject anything via the address bar into a query and do something that’s not intended with it.

    Basically, I’m doing this:

    $url = $_SERVER['REQUEST_URI'];
    $what = explode('?', $url);
    $what = array_reverse($whowhat;
    $what = $what[0];
    $whatquery = ", 'who' => '$whatquery'";
    $user_search = new WP_User_Query(array('meta_key' => 'meta', 'meta_value' => 'yes', 'orderby' => 'last_name' . $whatquery));

    So can anyone telle me ifI need to add any extra security measures to this to ensure that “$whatquery” isn’t some nasty script/hack attempt? I just want to be sure it’s *clean* when entered, or to know that the wp_user_query already takes care of that for me.


Viewing 1 replies (of 1 total)
  • Actually, I found a workaround. Instead of creating a query, I redid it so it simply takes the string in the URL and does get_userdatabylogin(). So if the string isn’t an actual user’s login name, it goes to 404.

    Thanks anyway!

Viewing 1 replies (of 1 total)
  • The topic ‘wp_user_query question’ is closed to new replies.