1

I wrote a very little WordPress application that uses URL parameter values to generate html content on a public site like this:

URL example: 

www.mydomain/?prmtr=Chicago

Code:

$prmtr = isset( $_GET['prmtr'] ) ? $_GET['prmtr'] : 'NewYork';

A possible HTML integration is like this

<h1>Hello Person from <?php echo $prmtr; ?></h1>

Is WordPress doing all the "dirty work" for me, like preventing attackers from injecting SQL commands or other stuff?

Thanks in advance, Ben

Improve this question
1
  • Are Chicago, NewYork these kinds of values exists in database then you should match them once after get from URL with database. If exists then display else ignore or use default case. Commented Jun 3, 2015 at 8:34

1 Answer 1

Reset to default
3

Nope. That's raw PHP you've got there. You'll have to make it safe yourself.

As long as all you're doing with $prtmr is printing it out you don't need to worry about SQL injection, just XSS attacks.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.