WordPress does not enforce any strict rules on plugins, and plugins have complete control over the WordPress web site. It is important to understand this and underline security and performance implications if plugins do not follow general good behaviour guidelines.
Exploits such as SQL injection or Cross-Site Request Forgery(CSRF) may pose serious security threat to the users of your plugin, if particular care is not taken.
WordPress provides simple mechanisms to prevent these threats.
$wpdb->prepare(), $wpdb->insert(), $wpdb->update():
These are database functions that should be used for creating database queries and inserting/updating the information.wp_nonce_url():
This function is used for links, andwp_nonce_field()
is a function used for forms in combination withcheck_admin_referer()/check_ajax_referer()
that will protect your requests against CSRF.