Security guide needed on website structuring

Senior friends,

I need your guide in the way i structure my websites.

I usually create custom functions in a file called myfunctions and from there i use those functions in all the pages where necessary to avoid retyping.

E.g mycustom_insert ($where, $what)

This function is dynamic as i can change variables on what to insert.

But my question is, is this safe knowing that some one else can simply execute such function on a slight chance given.
Example running such mycustom_insert() in a query url may end up inserting something into my database.

Is it safe for such functions to be created or should i manually retype codes on every page i want a particular function to run?

duplicating code makes maintance harder and has the potential to open more security holes.

1 Like

You mean recoding every function in a page is not the best practice?

Yes, i found my method much easier to maintain as i can fix a function in one page, than having to edit several pages to make corrections

But then how can i prevent my code or function from not executing in a query url or any code injection?

I see something like this

__('text to show');

esc_html('content to escape');


esc_url('link to escape');

Even though i use them, but i still don’t know exactly how someone can use an echoed plain text that is displayed in html against me.
Please i need practical guide how is not safe to echo a text without escaping it

it’s not only against you, but also against other visitors of your page, look up XSS.

If by that you mean you are regularly editing the code in one function definition or copy/pasting/editing the code under a new function name, this indicates that the code is not general-purpose, reusable, and has the wrong responsibility.

Perhaps show an example of your code that would allow something in a URL to control which function gets called?

This how i use the function

mycustom_insert('apple', 'fruit');


mycustom_insert('mango', 'fruits');

mycustom_insert('television', 'electronic');

Same function call but inserts different data into the database, so any page i can use the function and set the parameters of what is to be inserted.

I found that very easy to work with than retyping a full blown sql insert query.
Or having one static function that only inserts apple and fruit any time is been called.