How to properly validate data from $_GET or $_REQUEST using WordPress functions?

WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS.

I use the PHP filter_input function then escape it as I would any untrusted variable.

$url = filter_input( INPUT_GET, 'some_query_string', FILTER_VALIDATE_URL );

echo '<a href="'. esc_url( $url ). '">Click Me</a>';

The PHP filter input accepts:

Related Posts:

  1. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  2. What is the difference between esc_html and wp_filter_nohtml_kses?
  3. What is the difference between strip_tags and wp_filter_nohtml_kses?
  4. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  5. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  6. Is it necessary to do validation again when retrieving data from database?
  7. how to add security questions on wp-registration page and validate it
  8. oneOf two possible objects in WP REST API?
  9. esc_url, esc_url_raw or sanitize_url?
  10. How to store username and password to API in wordpress option DB?
  11. How to validate custom fields in custom post type?
  12. How should one implement add_settings_error on custom menu pages?
  13. Nonces can be reused multiple times? Bug / Security issue?
  14. is_email() VS sanitize_email()
  15. Can someone explain what wp_session_tokens are, and what are they used for?
  16. WordPress and PHP Sessions – Security and Performance
  17. Nonce in settings API with tabbed navigation
  18. Log in from one wordpress website to another wordpress website
  19. Escaping built-in WP function return strings
  20. WP Cron doesn’t save or in post body
  21. stray elements
  22. WordPress restrict plugin file direct access
  23. Plugin development: is adding empty index.php files necessary?
  24. Confusion on WP Nonce usage in my Plugin
  25. array_map() for sanitizing $_POST
  26. Correct way check nonce (security) using old Options API
  27. Verify Nonce returns false – Request Nonce returns correct value
  28. Why do I need to check if wp_nonce_field() exists before using it
  29. vs WordPress Security
  30. Who is responsible for data sanitization in WordPress development?
  31. Is there any way to check for user login and send him to login?
  32. WordPress security issue to output data from user input from theme option form
  33. How to sanitize user input?
  34. How do i validate data entered in a meta box so that only floats can be entered in a field?
  35. Verify if user is wordpress logged in from another app since wordpress 4.0
  36. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  37. Secure Pages Best Practice
  38. Multiple options pages validation for a plugin
  39. Securing/Escaping Output of file content – reading via fread() in PHP
  40. best way to make a WordPresss multisite that is secure but at the same time supporting my plugin development efforts
  41. Video Security just like facebook [closed]
  42. Is disabling test_form in wp_handle_upload a security concern?
  43. How to connect my wordpress plugin to a remote database securely?
  44. wp_nonce_field displaying twice
  45. wordpress is adding a second backslash when I use addslashes
  46. Checking a WordPress for OWASP top 10 vulnerabilities [closed]
  47. How do I have now a duplicated user entry if this is not allowed (and I cannot replicate it)?
  48. add_submenu_page hooked function must explicitly check user capabilities – why?
  49. Are there any security risks when submitting data-attribute data through AJAX?
  50. Why would you use esc_attr() on internal functions?
  51. Is it possible to use WP-CLI in a plugin (or theme)?
  52. Secruity Questions on a timer
  53. How WordPress sanitizes post content on save? Or it doesn’t?
  54. Using HTML links within translatable string
  55. How can I save a password securely as a settings field
  56. How to validate inputs with filter in register_setting callback
  57. Using password protection to load different page elements?
  58. HTML Elements in my WP Plugin being generated in JS. Security and Translated Text Question about this method being used
  59. How do I add a 5 digit ZIP code validation to a Contact7 form?
  60. $ is not defined [duplicate]
  61. How to store sensitive user data (passwords)
  62. Sanitize WordPress Array Input?
  63. How do I make secure API calls from my WordPress plugin?
  64. esc_attr() on hard coded string
  65. do I need to sanitize a shortcode’s function input?
  66. Experts opinions needed: How (in)secure is this approach?
  67. Array/List Edit in Backend
  68. What is more secure checking capabilities of user or checking role of user in WordPress plugin development
  69. Data Validation, dynamically generated fields (select for example)
  70. Sanitize and Save metabox values
  71. how to sanitizing $_POST with the correct way?
  72. Send user activation email when programmatically creating user
  73. Creating Settings Page with dropdowns for Plugin
  74. Custom Nav Menu items default to ‘menu-item-type’ => ‘custom’. How to make a “page” menu item?
  75. How to get the post content after WordPress post processing?
  76. Global State During an Admin Post
  77. Display custom fields in frontside user profile
  78. Meta box on options page save form problem
  79. Where to use nonce
  80. Simulating timeout is not working
  81. How to develop a wordpress plugin for front-end user?
  82. Issue with iframe in TinyMCE
  83. Find Any Theme’s page.php File
  84. WP Job Manager – Show recent jobs as cards
  85. oneOf JSON Schema validation not properly working for custom post meta value?
  86. How will i add an option under customizer the event calendar section?
  87. Return custom product in ajax call loop
  88. Is there a canonical way for a plugin to install a mu-plugin or drop-in?
  89. How can create a custom plugin to call my webapi after any registration or membership plugin functionality
  90. Admin Menu for New Post
  91. Elementor Top-Bar
  92. Is it possible to add Custom Dashboard Widgets to Custom Admin Menu Page?
  93. Is using upgrader_process_complete the correct way to perform plugin updates?
  94. Load images from CDN and custom features to “Add Media” dialogue
  95. Saving metabox updates causing fatal error
  96. Calling get_header() with installed FSE theme
  97. Reinitiate Gutenburg’s blocks using javascript
  98. Generating Multiple Divi Pages from Database
  99. Is it smart to require_once wp-admin/includes/plugin.php when you need only one function from it
  100. multiple record insert creating many duplicate records

Leave a Comment