I wrote a very little WordPress application that uses URL parameter values to generate html content on a public site like this:
URL example:
www.mydomain/?prmtr=Chicago
Code:
$prmtr = isset( $_GET['prmtr'] ) ? $_GET['prmtr'] : 'NewYork';
A possible HTML integration is like this
<h1>Hello Person from <?php echo $prmtr; ?></h1>
Is WordPress doing all the "dirty work" for me, like preventing attackers from injecting SQL commands or other stuff?
Thanks in advance, Ben
Nope. That's raw PHP you've got there. You'll have to make it safe yourself.
As long as all you're doing with $prtmr is printing it out you don't need to worry about SQL injection, just XSS attacks.