Potential Security Issue in Custom Taxonomy Search Functionality

I’m wishing to add some functionality to a client WordPress site that allows you to include taxonomy terms from custom post types in the WordPress search, and come across the following answer:

Include custom taxonomy term in search

This solution does work, but in the comments a user has mentioned that it’s “probably not a good idea to inject the raw publicly available search string directly into an SQL query.” and added a link for further reading. I can’t see anything in this link that relates to the specifices of the answer though.

For quick reference the code for the answer is below, would this code be a security risk? And if so what would the solution be so you can still have the functionality of being able to include taxonomy terms in the WP search without the security risk?

Many thanks

// search all taxonomies, based on: http://projects.jesseheap.com/all-projects/wordpress-plugin-tag-search-in-wordpress-23  function atom_search_where($  where){ global $  wpdb; if (is_search())     $  where .= "OR (t.name LIKE '%".get_search_query()."%' AND {$  wpdb->posts}.post_status = 'publish')"; return $  where; }  function atom_search_join($  join){ global $  wpdb; if (is_search())     $  join .= "LEFT JOIN {$  wpdb->term_relationships} tr ON {$  wpdb->posts}.ID = tr.object_id INNER JOIN {$  wpdb->term_taxonomy} tt ON tt.term_taxonomy_id=tr.term_taxonomy_id INNER JOIN {$  wpdb->terms} t ON t.term_id = tt.term_id"; return $  join; }  function atom_search_groupby($  groupby){ global $  wpdb;  // we need to group on post ID $  groupby_id = "{$  wpdb->posts}.ID"; if(!is_search() || strpos($  groupby, $  groupby_id) !== false) return $  groupby;  // groupby was empty, use ours if(!strlen(trim($  groupby))) return $  groupby_id;  // wasn't empty, append ours return $  groupby.", ".$  groupby_id; }  add_filter('posts_where','atom_search_where'); add_filter('posts_join', 'atom_search_join'); add_filter('posts_groupby', 'atom_search_groupby'); 

Legality & security standards of sending SSN / Drivers License via email

I am building a website for use in the state of Ohio where users enter their last 4 digits of SSN or their Driver’s License number. This data is submitted to the webserver which generates a PDF with the information included on it. The PDF is then emailed to the user.

Are there security standards that govern how this type of sensitive data is handled, especially concerning email?

Also are there potential legal issues / concerns in building an application like this?

Thanks,

Mike

Does TLS (Transport Layer Security) protect against deliberate tampering or accidental corruption?

If someone tampers with data being transmitted over HTTPS using TLS, would that result in a corrupted decrypted message or would it result in the error being detected such as through a cryptographic checksum and retransmitted?

This has security implications as well as accidental corruption implications (https://stackoverflow.com/questions/3830206/can-a-tcp-checksum-fail-to-detect-an-error-if-yes-how-is-this-dealt-with).

Can someone in Cyber Security or IT help answer this basic question on the change of today’s malware? [closed]

1.) Before the most common types of malware were usually trojan horses and various other types of viruses derived from one’s own e-mail on a desktop. Given the timespan since those days, the game has changed. Today ways of breaching a user’s data have changed drastically. What are the most prevalent methods that an average person should be aware of today?

Security considerations when selling a printer

Ive got an HPW2228H laser printer, which i have used for about a year, which I wish to sell.

Are there any security issues to consider when selling a printer that has been used.

My considerations so far have been :

  • Would any previously printed / scanned documents be viewable / recallable by the purchaser
  • Would any wifi passwords stored on the computer be accessible to the purchaser

Could modded versions of Kik messenger pose a security threat?

I was on the Kik messenger app, and someone in a group chat posted screenshots of his modded Kik app that contains an “IP grabber”. He said he could hack people easily, and was very fast to tell me my own IP address. He was able to tell when anyone in the chatroom was lurking (i.e watching the chat without typing), for how long, their last activity, etc. I have no idea how, but he was able to know my IP address along with 2 other people in the chatroom. Prior to this, he had sent me a picture which I downloaded a week ago (he was pretending to be a normal person, it was a random funny meme). He has not sent me any links, and I have certainly not clicked on any links from him. We had a few messages back and forth, but that’s it. He said that he would hack me, so I logged out a few hours later. I used AVG antivirus and Kaspersky to scan my phone, and there were no issues detected. I manually checked my downloaded apps on Android, and there wasn’t any downloaded app that was new. I have since then logged out of Kik, but I am concerned: could he be spying on my phone, and what can I do to prevent this? Thanks.

Concrete example of how can Access-Control-Allow-Origin:* cause security risks?

I have done some research but have not found an absolute answer to my specific question. I understand the basic concept of how this header will allow or disallow website A from sending request and viewing response to resources on website B.

However, suppose website B set the header Access-Control-Allow-Credentials to false, and Access-Control-Allow-Origin: *, can this cause any concrete security risk to the user who is browsing website A (suppose website A is malicious)?