I'm capturing username, email and password in a custom registration form on my WordPress site. I'm sanitising the username using sanitize_user()
and sanitize_email()
sanitises the email address.
For example:
$username = sanitize_user( $username );
$email = sanitize_email( $email );
How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass )
but I'm sure that isn't the right way to do it.
Ref:
Sanitizing won't necessarily protect you from injection. To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class .
Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.
If you're using wp_insert_user()
to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.
As mentioned you can use the sanitize_text_field()
function. It may cause some issues on some crazy passwords with special characters etc.
But it should be okay.
wp_insert_user()
state of sanitization and filters as off (2021) WordPress 5.7
wp_insert_user()
and user_pass
by default:
user_pass
via wp_hash_password()
.Should NOT be sanitized.
wp_insert_user()
and user_login
by default:
user_login
via sanitize_user()
.user_login
via empty()
.user_login
via mb_strlen
. (60 characters maximum). user_login
via username_exists()
to users.user_login
via illegal_user_logins
to illegal user logins. wp_insert_user()
and user_nicename
by default:
user_nicename
via sanitize_user()
.user_nicename
via mb_strlen
. (50 characters maximum). user_nicename
via sanitize_title()
. wp_insert_user()
and user_email
by default:
user_email
via empty()
.user_email
via strcasecmp
to old.user_email
via email_exists()
to old. wp_insert_user()
and user_url
, display_name
, nickname
, first_name
, last_name
, last_name
, description
, by default:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.