Continuing my notes and remarks from WordCamp, I attended Writing Secure Plugins, which was given by Mark Jaquith (@markjaquith on Twitter). I found the talk to be also slightly introductory on security matters but nicely oriented to WordPress plugins and general PHP Web app development. I believe most of the tips given should be taken into consideration by every PHP coder out there, not just WP people.

The talk was split into the different attacks that are common on Web applications and mainly pointing to functions and actions to be taken. Here are my notes:

SQL injection

• esc_sql(), allows you to escape SQL queries.
• absint(), allows to convert an ID value to its positive integer value to prevent ID injection.
• $wpdb->update(), a WordPress API method to update data.
• $wpdb->insert(), a WordPress API method to insert new data rows.
• compact(), PHP core function that lets you use variable names as strings.
• $wpdb->prepare(), crafts a secure SQL statement with placeholders.
• $wpdb->get_var(), returns a single variable from WordPress data.

Cross-site scripting (XSS)

• "Everything is suspicious".
• esc_attr_e(), escapes a translated string to be used as an HTML tag attribute.
• esc_html(), escapes general HTML.
• esc_attr(), escapes a string for tag attribute.
• esc_url(), encodes URL.
• esc_url_raw(), encodes URL without HTML entities to be encoded.
• esc_js(), encodes JavaScript code.

Cross-site request forgery (CSRF)

• Understand the difference between authorization and intention.
• Nonces (token handling).
• wp_nonce_field() and then, check_admin_referer().
• current_user_can(), API capability checking.

AJAX CSRF

• &_ajax_nonce = NONCE

Privilege escalation

Stupid shit!

• Avoid exec() at all costs!
• Use blank or hardcoded paths instead of $_SERVER['REQUEST_URI'] on form submission.

Presentation