Now I have familiarized myself with the above principles via the documentation and I think I have understood them now
I don’t know which documentation you read, but you should check the Plugin Security section in the plugin developer’s handbook.
And there are three main issues I noticed in your code:
-
Before attempting to use a
$_GET
or$_POST
variable, you should check whether it’s set or not.So for example in your
get_current_site()
function, instead of$page = $_GET['page'];
, you should do:$page = isset( $_GET['page'] ) ? wp_unslash( $_GET['page'] ) : '';
-
In your
toggle_myplugin()
function, you should sanitize the option value (prior to updating the option) using functions likesanitize_text_field()
:$active = isset( $_POST['active'] ) ? sanitize_text_field( $_POST['active'] ) : '';
-
In your hidden input field, you should escape the input value using functions like
esc_attr()
. So instead of simplyecho $id;
, you would useecho esc_attr( $id );
:<input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>">
So I hope that helps and feel free to ask if you need any clarification, and as the plugin handbook recommends, consider checking user capabilities and using nonces (checking user’s intent) where appropriate in your plugin.