admin管理员组文章数量:1418017
This is the function:
function shortcode_output($atts) {
return do_shortcode('[ks_tab col="'.$atts['num'].'"][/ks_tab]');
}
add_shortcode( 'my_shortcode', 'shortcode_output');
People would add a number (only number) when using my shortcode, do I need to escape it so that it accepts only numbers?
This is the function:
function shortcode_output($atts) {
return do_shortcode('[ks_tab col="'.$atts['num'].'"][/ks_tab]');
}
add_shortcode( 'my_shortcode', 'shortcode_output');
People would add a number (only number) when using my shortcode, do I need to escape it so that it accepts only numbers?
Share Improve this question asked Jul 31, 2019 at 11:36 pickos7pickos7 153 bronze badges 3- 3 Yes, never trust user input. – Sally CJ Commented Jul 31, 2019 at 11:53
- 1 @SallyCJ Why not post it as an answer? – kero Commented Jul 31, 2019 at 12:02
- 1 thanks, Sally.... – pickos7 Commented Jul 31, 2019 at 12:30
1 Answer
Reset to default 1Yes, never trust user's input.
Just because you told people to provide a valid number for a specific shortcode parameter, it doesn't guarantee that the input will always be a valid number, so always secure user's input — and output.
You should also, if you haven't already done so, read these articles:
Data Validation
Securing Input
Securing Output
And for example in your case, for accepting absolute integers only:
<?php
$cols = absint( $atts['num'] );
// Validate and set default value.
$cols = $cols ? $cols : 3;
本文标签: Do I need to escape number in this shortcode function
版权声明:本文标题:Do I need to escape number in this shortcode function? 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745281110a2651428.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论