如何清理 WordPress 中的用户密码信息?
[英]How to sanitize user password information in WordPress?
问题描述
I'm capturing username, email and password in a custom registration form on my WordPress site.
我正在我的 WordPress 网站上的自定义注册表单中获取用户名、电子邮件和密码。 I'm sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.我正在使用sanitize_user() sanitize_email()用户名, sanitize_user() sanitize_email()电子邮件地址。
For example:例如:
$username = sanitize_user( $username );
$email = sanitize_email( $email );
How should I sanitise the password entered by the user?我应该如何清理用户输入的密码? All I can think of is sanitize_text_field( $pass ) but I'm sure that isn't the right way to do it.我能想到的只是sanitize_text_field( $pass )但我确定这不是正确的方法。
Ref:参考:
3 个解决方案
解决方案1
3 2014-08-01 10:41:11
Sanitizing won't necessarily protect you from injection.消毒不一定能保护您免受注射。 To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class .为了防止这种情况,您需要使用准备好的语句 - 或者在 WordPress 的情况下,使用$wpdb 类。
Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address.清理只是去除无效字符,在您上面给出的情况下,它会删除用户名中不允许的字符,或有效电子邮件地址中不允许的字符。 Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.密码允许使用许多不同的字符类型,因为这就是它们“强大”的原因,因此您不想将它们删除。
If you're using wp_insert_user() to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.如果您使用wp_insert_user()创建一个 WP 用户,那么您无论如何都不需要对其进行清理,该函数将为您处理所有这些。
解决方案2
0 2019-03-14 06:37:17
As mentioned you can use the sanitize_text_field() function.如前所述,您可以使用sanitize_text_field()函数。 It may cause some issues on some crazy passwords with special characters etc.它可能会导致一些带有特殊字符等的疯狂密码出现问题。
But it should be okay.不过应该没问题。
解决方案3
0 2021-04-02 17:18:06
wp_insert_user() state of sanitization and filters as off (2021) WordPress 5.7 wp_insert_user()消毒状态和过滤器关闭 (2021) WordPress 5.7
wp_insert_user() and user_pass by default: wp_insert_user()和user_pass默认:
- Hash
user_passviawp_hash_password().通过wp_hash_password()散列user_pass。
Should NOT be sanitized.
wp_insert_user() and user_login by default: wp_insert_user()和user_login默认:
- Sanitize
user_loginviasanitize_user().通过sanitize_user()清理user_login。 - Filter
user_loginviaempty().通过empty()过滤user_login。 - Filter
user_loginviamb_strlen.通过mb_strlen过滤user_login。 (60 characters maximum).(最多 60 个字符)。 - Compare
user_loginviausername_exists()to users.通过username_exists()将user_login与用户进行比较。 - Compare
user_loginviaillegal_user_loginsto illegal user logins.比较user_login通过illegal_user_logins非法用户登录。
wp_insert_user() and user_nicename by default: wp_insert_user()和user_nicename默认情况下:
- Sanitize
user_nicenameviasanitize_user().通过sanitize_user()清理user_nicename。 - Filter
user_nicenameviamb_strlen.过滤user_nicename通过mb_strlen。 (50 characters maximum).(最多 50 个字符)。 - Sanitize
user_nicenameviasanitize_title().通过sanitize_title()清理user_nicename。
wp_insert_user() and user_email by default: wp_insert_user()和user_email默认情况下:
- No distinct sanitization.没有明显的消毒。
- Filter
user_emailviaempty().通过empty()过滤user_email。 - Compare
user_emailviastrcasecmpto old.通过strcasecmp将user_email与旧的进行比较。 - Compare
user_emailviaemail_exists()to old.比较user_email通过email_exists()到老。
wp_insert_user() and user_url , display_name , nickname , first_name , last_name , last_name , description , by default: wp_insert_user()和user_url , display_name , nickname , first_name , last_name , last_name , description ,默认情况下:
- No distinct sanitization.没有明显的消毒。
- No distinct filters.没有明显的过滤器。
- No distinct comparison.没有明显的比较。
Sources来源
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.