Security guide needed on website structuring

PHP
#1

Senior friends,

I need your guide in the way i structure my websites.

I usually create custom functions in a file called myfunctions and from there i use those functions in all the pages where necessary to avoid retyping.

E.g mycustom_insert ($where, $what)

This function is dynamic as i can change variables on what to insert.

But my question is, is this safe knowing that some one else can simply execute such function on a slight chance given.
Example running such mycustom_insert() in a query url may end up inserting something into my database.

Is it safe for such functions to be created or should i manually retype codes on every page i want a particular function to run?

#2

duplicating code makes maintance harder and has the potential to open more security holes.

#3

You mean recoding every function in a page is not the best practice?

Yes, i found my method much easier to maintain as i can fix a function in one page, than having to edit several pages to make corrections

#4

But then how can i prevent my code or function from not executing in a query url or any code injection?

#5

I see something like this

__('text to show');

esc_html('content to escape');


esc_url('link to escape');

Even though i use them, but i still don’t know exactly how someone can use an echoed plain text that is displayed in html against me.
Please i need practical guide how is not safe to echo a text without escaping it

#6

it’s not only against you, but also against other visitors of your page, look up XSS.

#7

If by that you mean you are regularly editing the code in one function definition or copy/pasting/editing the code under a new function name, this indicates that the code is not general-purpose, reusable, and has the wrong responsibility.

Perhaps show an example of your code that would allow something in a URL to control which function gets called?