[mystifier]

I like the idea of adding a BB to a WordPress website and BBPress offers good integration but, having had one website previously screwed with a Visitor’s Book, I am a bit paranoid about PHP Injection.

Since there is actually an invitation to put code between backticks, how secure is it against injection?

Is there a simple hack to exclude backticks?

[chrishajer]

The invitation to put code in backticks is actually the least of your worries. Anything in backticks gets escaped and displayed differently. You don’t want to hack that function to exclude backticks. Removing the function wouldn’t help with what you’re worried about.

You need to be concerned with input that is not sanitized, not input that is escaped in backticks.

I think bbPress has a very good security track record. There have been a couple problems in the past year (one XSS and one SQL injection I know of) but in general bbPress has been very secure. I don’t think you have to worry about getting hacked when using it. The software is written by professionals.

[nicoms]

chrishajer is right – bbPress probably wouldn’t have released without some tightly knit coding to escape malicious scripts as a standard practice. Though, if you do want to delve deeper into guarding against attacks, there are some pretty handy tutorials on managing databases here: http://www.microsoft.com/hellosecureworld7