First check that it’s not empty, then typecast to a string value as a security precaution, because it’s always possible for this to be submitted as an array; e.g., by an attacker. Then unslash, sanitize, and continue by checking length and anything else that you’d like to validate.
if ( ! empty( $_POST['contact_msg'] ) ){
$contact_message = (string) $_POST['contact_msg'];
$contact_message = wp_unslash( $contact_message );
$contact_message = sanitize_textarea_field( $contact_message );
}
Tip: Also be sure to verify the request using an Nonce.
Here’s a more terse variation of the above.
if ( ! empty( $_POST['contact_msg'] ) ){
$contact_message = sanitize_textarea_field( wp_unslash( (string) $_POST['contact_msg'] ) );
}
Related Posts:
- Is wp_nonce_field vulnerable if you know the action name?
- Nonce actions and names available via open source
- not logged in users can’t submit form
- Show the submitted values in the form when validation fails
- Using Contact Forms to Send Private Information [closed]
- Should I use wp_nonce_field on my contact form?
- Validating custom fields before post save
- How to stop direct HTTP POST to a PHP script?
- Front end post form validation
- Where this validating message come from?
- How to add custom regex validation to WPForms password field
- Code for front end validation for forms not working
- Form Sanitization and Validation
- Displaying errors on the front end from my plugin
- Form validation on user profile edit
- CF7 for radio buttons only, ok?
- What is & used for
- Reactjs – Form input validation
- How to define form action in JSF?
- Free or affordable OCR and ICR (handwriting recognition) SDK?
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- What characters are allowed in an email address?
- How to include landing page with form submission?
- How to edit a user profile on the front end?
- How to display user registration form on front-end of the website?
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How to handle form submission?
- What is an easy way to display a front-end user registration form?
- Add error message on password protected page
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- is_email() VS sanitize_email()
- Nonces and Cache
- how to set from address according to the form input email address for wp_mail()?
- How to get current url in contact form 7
- How to pass on Google Adwords gclid variable to other pages
- using update_user_meta in form to set and get custom meta
- Stop wordpress automatically escaping $_POST data
- Best way to create multi-step form with data saved to user account for later updating?
- User registration problem in WordPress
- Creating a contact form without a plugin [closed]
- How to submit data from HTML form?
- Correct Approach for Validating Custom Field Input
- Custom Registration Template/Page
- show image in mail contact form 7 [closed]
- Where should my plugin POST to?
- Can I verify nonce which was generated on a different WP site?
- Submitting post to database then redirecting to paypal
- Registration form labels – add asterisk
- Autocomplete for taxonomy input boxes on a front end form
- Sending form data via PHPMailer – How to action PHP script from a form
- How to create and retrieve data from a special registration form?
- Contact form 7 Dynamic text – placeholder on GET field
- Settings API erases itself?
- how to handle forms in multiple pages?
- set_query_var doesn’t seem to work on init hook
- How to send multipart form data to WordPress endpoint
- need to add attach thumbnail from my form
- Wp_mail Returning False on Server
- recommended practice for form submission
- Placeholders in Jetpack Contact Form [closed]
- How to update selective options on plugin settings page
- Built-in data validation function for URLs
- $_POST empty on submit (same code, same form submits normally on local server)
- Gravity Forms skip form if already filled out using cookie?
- Loading scripts & styles from a meta box callback function
- Checkbox won’t check when label is clicked
- One comment per user per post
- Looking for a simple approach for handling user $_POST data without AJAX?
- When is it useful to use wp_verify_nonce
- Trying to save and display a wp_editor()
- jQuery Validate wp_editor
- How to return variables from admin-post.php
- Help with verifying google recaptcha in a custom form
- How to retain the values from dropdown category lists after wrong form submission?
- Setting specific image size for specific form upload file field
- Duplicating/Cloning Multiple Form Fields
- How can i add validation to this login form with out it redirecting to the wp-login.php page
- Contact forms going into spam folder
- Get data from dropdown and update page
- Mail Form in a modal box without plugin
- Using the WordPress selected() function
- Performing a POST action on homepage goes to posts page
- Add contact form
- How am I able to get the value out of cookie array when I push a button?
- 404 on form submit [duplicate]
- How to Process Form Request
- vs WordPress Security
- How Could I sanitize the receive data from this code
- Form Processing
- Form validation in WordPress Admin Panel
- Who is responsible for data sanitization in WordPress development?
- Reset recaptcha contact form 7 [closed]
- Return to option page after running PHP script
- Saving checkbox/option list status?
- Customize reset password form redirect problem
- What is the valid phone number format accepted by contact-form-7 [closed]
- creating form for wp_remote_post
- How to implement post/redirect/get pattern on contact form
- Validate form in functions.php, send errors back to template
- How to know what submit button the user clicked?