How to sanitize user password information in WordPress?
Question
I'm capturing username, email and password in a custom registration form on my WordPress site. I'm sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.
For example:
$username = sanitize_user( $username );
$email = sanitize_email( $email );
How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass ) but I'm sure that isn't the right way to do it.
Ref:
3 answers
solution1
3 2014-08-01 10:41:11
Sanitizing won't necessarily protect you from injection. To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class .
Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.
If you're using wp_insert_user() to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.
solution2
0 2019-03-14 06:37:17
As mentioned you can use the sanitize_text_field() function. It may cause some issues on some crazy passwords with special characters etc.
But it should be okay.
solution3
0 2021-04-02 17:18:06
wp_insert_user() state of sanitization and filters as off (2021) WordPress 5.7
wp_insert_user() and user_pass by default:
- Hash
user_passviawp_hash_password().
Should NOT be sanitized.
wp_insert_user() and user_login by default:
- Sanitize
user_loginviasanitize_user(). - Filter
user_loginviaempty(). - Filter
user_loginviamb_strlen. (60 characters maximum). - Compare
user_loginviausername_exists()to users. - Compare
user_loginviaillegal_user_loginsto illegal user logins.
wp_insert_user() and user_nicename by default:
- Sanitize
user_nicenameviasanitize_user(). - Filter
user_nicenameviamb_strlen. (50 characters maximum). - Sanitize
user_nicenameviasanitize_title().
wp_insert_user() and user_email by default:
- No distinct sanitization.
- Filter
user_emailviaempty(). - Compare
user_emailviastrcasecmpto old. - Compare
user_emailviaemail_exists()to old.
wp_insert_user() and user_url , display_name , nickname , first_name , last_name , last_name , description , by default:
- No distinct sanitization.
- No distinct filters.
- No distinct comparison.
Sources
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.