This is the function:
function shortcode_output($atts) {
return do_shortcode('[ks_tab col="'.$atts['num'].'"][/ks_tab]');
}
add_shortcode( 'my_shortcode', 'shortcode_output');
People would add a number (only number) when using my shortcode, do I need to escape it so that it accepts only numbers?
This is the function:
function shortcode_output($atts) {
return do_shortcode('[ks_tab col="'.$atts['num'].'"][/ks_tab]');
}
add_shortcode( 'my_shortcode', 'shortcode_output');
People would add a number (only number) when using my shortcode, do I need to escape it so that it accepts only numbers?
Share Improve this question asked Jul 31, 2019 at 11:36 pickos7pickos7 153 bronze badges 3- 3 Yes, never trust user input. – Sally CJ Commented Jul 31, 2019 at 11:53
- 1 @SallyCJ Why not post it as an answer? – kero Commented Jul 31, 2019 at 12:02
- 1 thanks, Sally.... – pickos7 Commented Jul 31, 2019 at 12:30
1 Answer
Reset to default 1Yes, never trust user's input.
Just because you told people to provide a valid number for a specific shortcode parameter, it doesn't guarantee that the input will always be a valid number, so always secure user's input — and output.
You should also, if you haven't already done so, read these articles:
Data Validation
Securing Input
Securing Output
And for example in your case, for accepting absolute integers only:
<?php
$cols = absint( $atts['num'] );
// Validate and set default value.
$cols = $cols ? $cols : 3;
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745281110a4620283.html
评论列表(0条)