如何清理 WordPress 中的用户密码信息? [英] How to sanitize user password information in WordPress?

问题描述

我正在我的 WordPress 网站上的自定义注册表单中获取用户名、电子邮件和密码.我正在使用 sanitize_user() 清理用户名，sanitize_email() 清理电子邮件地址.

I'm capturing username, email and password in a custom registration form on my WordPress site. I'm sanitising the username using sanitize_user() and sanitize_email() sanitises the email address.

例如:

$username = sanitize_user( $username );
$email = sanitize_email( $email );

我应该如何清理用户输入的密码?我能想到的只有 sanitize_text_field( $pass ) 但我确定这不是正确的做法.

How should I sanitise the password entered by the user? All I can think of is sanitize_text_field( $pass ) but I'm sure that isn't the right way to do it.

参考:

• http://codex.wordpress.org/Function_Reference/sanitize_user
• http://codex.wordpress.org/Function_Reference/sanitize_email

推荐答案

消毒不一定能保护您免受注射.为了防止这种情况，您需要使用准备好的语句 - 或者在 WordPress 的情况下，使用 $wpdb 类.

Sanitizing won't necessarily protect you from injection. To protect against that you need to use prepared statements - or in the case of WordPress, use the $wpdb class.

清理只是去除无效字符，在您上面给出的情况下，它会删除用户名中不允许的字符，或有效电子邮件地址中不允许的字符.密码允许使用多种不同的字符类型，因为这使它们变得强大"，因此您不想将它们剥离.

Sanitization simply strips invalid characters, in the cases you've given above, it removes characters not allowed in usernames, or are not allowed in a valid email address. Passwords allow lots of different character types because that's what makes them 'strong' so you don't want to strip them out.

如果您使用 wp_insert_user() 创建一个WP 用户，那么您无论如何都不需要对其进行消毒，该功能会为您处理一切.

If you're using wp_insert_user() to create a WP User, then you don't need to sanitize any of it anyway, the function will take care of it all for you.

这篇关于如何清理 WordPress 中的用户密码信息?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！