Correct way to make meta box with more than one meta field secure

First, let me say that there is no web application 100% secure.

That being said, you are using the nonce correctly. The function you are using, update_post_meta(), will sql-scape the data as it uses insert/update methods of wpdb class. So, there is no risk for most common security problemas.

What you should take care, I think, is data validation, and you are doing that incorrectly. You pass all meta fields values to wp_kses() function and you allow <a> elements in all the fields. I think that is not what you want; for example, I think you don’t want to allow <a> element in the email or phone fields.

Instead of pass all values to wp_kses() you should do a specific data validation and/or sanitization for each one. For example:

if( isset( $_POST['products_sold'] ) ) {
    update_post_meta( $post_id, 'products_sold', sanitize_text_field( $_POST['products_sold'] ) );
}
if( isset( $_POST['website'] ) ) {
     //Leave as it was to allow website as <a href="https://wordpress.stackexchange.com/questions/155143/...">...</a>
     //update_post_meta( $post_id, 'website', wp_kses( $_POST['website'], $allowed ) );
     update_post_meta( $post_id, 'website', esc_url_raw( $_POST['website'] ) );
}

if( isset( $_POST['address'] ) ) {
    update_post_meta( $post_id, 'address', sanitize_text_field( $_POST['address'] ) );
}

if( isset( $_POST['phone'] ) ) {
     update_post_meta( $post_id, 'phone', sanitize_text_field( $_POST['phone'] ) );
}

if( isset( $_POST['email'] ) ) {
    update_post_meta( $post_id, 'email', sanitize_email( $_POST['email'] ) );
}

if( isset( $_POST['hours'] ) ) {
    update_post_meta( $post_id, 'hours', sanitize_text_field( $_POST['hours'] ) );
}

You could go further and define a custom validation function that will be performed every time a specific meta field is updated/created. For example:

//Create and define the `sanitize_phone_meta` filter:
add_filter( 'sanitize_post_meta_phone', 'sanitize_phone_meta' );
function ssanitize_phone_meta( $phone ) {

    //Perform whatever validation you want for phone value
    //For example, if you only want the phone format 000-0000-0000
    if(preg_match("/^[0-9]{3}-[0-9]{4}-[0-9]{4}$/", $phone)) {
        // $phone is valid
        return $phone;

    } else {
        return false;
    }

}

Then, in the save_post hook:

if( isset( $_POST['phone'] ) ) {
     $clean_phone = sanitize_meta( 'phone', $_POST['phone'], 'post' );
     if( $clean_phone !== false ) {
         update_post_meta( $post_id, 'phone', $clean_phone );
     } else {
         //Do something when the phone format is not what you expect
     }
}

This way, a little more work is required, but the phone meta field will be sanitized against the defined filter every time the phone meta is created/updated from any where without the need of writing the sanitzation code again.

More in:

Related Posts:

  1. Plugin “Meta Box”: Implementing meta boxes in custom post type
  2. RW Meta Box ,Problem setting post title
  3. dynamically generating plugin syntax
  4. get_post_type on post.php
  5. All of my custom posttypes are 404’ing
  6. Adding custom meta boxes to specified custom post type
  7. Error Metabox Warning: call_user_func() expects parameter 1 to be a valid callback
  8. Displaying image from a repeatable group
  9. How to add jquery to my custom post type wp plugin
  10. How can i do custom author list?
  11. Tips for using WordPress as a CMS? [closed]
  12. Redesigning Custom Post Type “Add New” page
  13. How Do I Use The WordPress Plugin Posts 2 Posts by Scribu?
  14. Creating a default Custom Post Template that a Theme can override
  15. Jetpack plugin (ShareDaddy): Prevent share buttons showing on custom post types?
  16. Getting Custom Post Type content from main-site of a Multisite
  17. Custom comment type maybe?
  18. Add custom meta box on Post page
  19. Twillio How To Send SMS for Custom Post Type
  20. Seriously stuck with some custom meta box/plugin stuff
  21. update custom post type meta from a shortcode
  22. Enable comments for post with comments meta box removed
  23. [Plugin: Posts 2 Posts] reciprocal connections
  24. How to Build a Movie Library in WordPress 3.x
  25. How do I get multiple pages by title?
  26. I need to add a custom “cover” to every new post — plugin or custom setup?
  27. How to get images from EDD post?
  28. Admin Dashboard with Custom Tab for Client
  29. Allow users mark posts as “complete”?
  30. Is there a way to order posts and custom post types as one group?
  31. Duplicate posts when posting nulls in records in phpMyAdmin [closed]
  32. Plugin custom post type – Internal server Error
  33. Exclude post by custom meta with pre_get_posts
  34. get_post_type() and WP_QUERY issue
  35. List taxonomy terms for post as checkboxes
  36. Save / Show multi line text in metabox
  37. Custom post type – no layout section of Document tab, and no author choice
  38. Creating a custom post type, adding custom meta fields, preventing all future editability of posts of this type
  39. Metabox not show in categories custom post type cmb2
  40. How to Add multiple instance of meta box to custom post type
  41. Mq translate plugin custom post type issue
  42. Retrieving Meta from Image Attachment
  43. WordPress metaboxes – textfield suggestion automatically populated
  44. WordPress custom taxonomy not showing
  45. Using ACF default value to autoincrement a number field
  46. Create metaboxes based on custom post type
  47. Date format – Meta Box plugin
  48. How to Resize the Custom Post Images?
  49. How to use template_include hook with form submission?
  50. Trying to add a page template for my custom post type from a plugin, but it will not display in the template dropdown unless file is in theme
  51. posts from multiple post types in one slider
  52. Custom Post Type – custom form in dashboard
  53. Access post title from custom meta box on title change
  54. $pages = get_pages(‘child_of=’.$post->ID); Why arguments are concatenated?
  55. CMB2 metabox create select with list of post from CPT
  56. WP-API Custom Post Type json_no_route
  57. How can I list custom post type categories of portfolio
  58. Plugin generated unexpected output – No PHP errors
  59. Use jQuery Datepicker code from plugin
  60. Posts 2 Posts: Display custom types connected to the same other custom type but with another connection
  61. Including content from legacy app: via plugin or custom content?
  62. Dictionary-style definition list plugin
  63. Import Recent Posts Only and Ignore old ones if exist
  64. WordPress REST API: Query media files attached to a custom post type
  65. How to get the custom field value using SQL query
  66. Setting Author on CPT
  67. Create category for each user
  68. How to display the category name in the tab and post inside the tab in WordPress?
  69. Want to build parent-child relationships between custom post types created with CPT UI
  70. custom post type plugin error [closed]
  71. Add an action based on custom post meta field
  72. Merging new theme and plugins from development site to production
  73. Ultimate Members Default Post Layout problem
  74. How to get checkbox by default true in metabox?
  75. Is it possible to customize a wordpress post from outside dashboard(Something like site.com/post-type/post/?e=post_id)?
  76. How to pass multiple custom fields as shortcode’s parameters
  77. Add Cancel Button to a Custom Meta Box
  78. Add_Meta_box to custom page (formidable edit post)
  79. why my wordpress dont have toolbar like, plugin, themes and other?
  80. CMB2 Post Search Field displays/repeats initial post if left empty
  81. Add custom field for users
  82. Calling an custom field from theme option at the frontend
  83. Synch Custom Post Types (and Custom Fields, Cats, etc.) Between WordPress Sites
  84. Problem for recover and save metaboxes
  85. WordPress Custom post type won’t save properly
  86. Making a Custom Post Type Publish Loop
  87. Extending a CPT by Created by another plugin
  88. WordPress User Frontend Editing Custom Fields
  89. Remove base from the custom post type URL [duplicate]
  90. Make a magic tag work with Custom Post Types
  91. Filter custom post type returned from REST api
  92. Problems with file_exists() with metabox plugin in WordPress
  93. Meta box not displaying on the plugin page
  94. Wrong block appender button showing
  95. Select posts from list and add them in a new list
  96. jet engine listing for every single taxonomy in post type [closed]
  97. Failed to update a post when I add a taxonomy to it
  98. Set the title of a custom post automatically by using info from custom fields?
  99. public custom posts not showing in my wordpress plugin
  100. plugin translation *.mo file not getting loaded for custom post
techhipbettruvabetnorabahisbahis forumutaraftarium24edueduedusedueduedusedusedueduedu