Sanitizing, Validating and Escaping in WordPress (Plugin)

Now I have familiarized myself with the above principles via the documentation and I think I have understood them now

I don’t know which documentation you read, but you should check the Plugin Security section in the plugin developer’s handbook.

And there are three main issues I noticed in your code:

  1. Before attempting to use a $_GET or $_POST variable, you should check whether it’s set or not.

    So for example in your get_current_site() function, instead of $page = $_GET['page'];, you should do:

    $page = isset( $_GET['page'] ) ? wp_unslash( $_GET['page'] ) : '';

  2. In your toggle_myplugin() function, you should sanitize the option value (prior to updating the option) using functions like sanitize_text_field():

    $active = isset( $_POST['active'] ) ? sanitize_text_field( $_POST['active'] ) : '';

  3. In your hidden input field, you should escape the input value using functions like esc_attr(). So instead of simply echo $id;, you would use echo esc_attr( $id );:

    <input type="hidden" name="id" value="<?php echo esc_attr( $id ); ?>">

So I hope that helps and feel free to ask if you need any clarification, and as the plugin handbook recommends, consider checking user capabilities and using nonces (checking user’s intent) where appropriate in your plugin.

Related Posts:

  1. Escape when echoed
  2. Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?
  3. How to safely sanitize a textarea which takes full HTML input
  4. Customizing subject in comment notification e-mails
  5. Making plugin unique to not conflict with plugins with the same name
  6. How to find out if option exists but is empty?
  7. How to pass JavaScript variable to PHP in wordpress widget?
  8. Unable to add admin notice on plugin activation
  9. How To Ignore a Filter On Applying Filter the Content In a Function
  10. Saving Plugin settings to the database
  11. Add CSS animation as Preloader to WordPress
  12. Errors while using ajax from external wordpress page
  13. shortcode doesn’t work
  14. Deleting images through upload folder, but not deleting from media library
  15. WordPress plugin installation
  16. Create or Update thousands of woocommerce products via PHP
  17. send_headers don’t work on wordpress multisite
  18. Plugin exceeds memory limit
  19. Update Option Error: Notice: Undefined index
  20. WordPress Plugin Page is Loading in Admin Content Container Instead of Separate Page
  21. How to trigger $_GET request within admin plugin page?
  22. How to generate video out of images via WordPress plugin
  23. How can I get WordPress to save comments in markdown format?
  24. How to ‘clone’ a wp plugin to make small changes
  25. MITM risk of not sanitizing?
  26. Which escape function to use when escaping an email or plain text?
  27. Self deactivate plugins after an action occurs
  28. How to periodically scrape and cache strings from remote txt files. – My First Plugin
  29. Avoid class name collision when using third party libraries in plugins?
  30. Edit Yoast SEO breadcrumbs output [closed]
  31. How to sanitize uploaded file filename from a plugin?
  32. Redirection of users away from wp-admin (but not administrators)
  33. Using a custom plugin to capture input data via Ajax and PHP
  34. code is working properly in Core PHP but writing coding in WordPress
  35. wp_remote_get() returns 403 while file_get_contents() does not
  36. How to output CMB2 select options from repeated groups select elements?
  37. 306 MB of wp_options occupied by WordPress SEO Plugin, is that normal? [closed]
  38. How to deal with WordPress and Pocket API to automate content curation on my hosted wordpress blog? [closed]
  39. WP All Import – Execute Imports
  40. Perform internal redirect in WordPress?
  41. How to prevent plugins from loading jQuery
  42. WordPress get_avatar function not correct working
  43. Duplicate results are displayed in a custom plugin [closed]
  44. Check if variable is set in filter
  45. How to redirect to same page after form submission
  46. Add User Role: Pre-saved in User-Meta [SOLVED]
  47. Plugin onclick button activate other plugin
  48. I receive taxonomy id
  49. Loop in elementor custom widget not working
  50. How to create plugin/ page that reads from database
  51. Creating a functionality plugin to edit seriously simple podcasting
  52. How WordPress core manage the plugin installation
  53. Asynchronous request in wordpress
  54. Make plugin php file called directly aware of WordPress?
  55. Next Previous Post in wordpress with previous / next link with title?
  56. Different registration form for different roles
  57. Apply html elements in php statement
  58. WordPress Post HTML after Posting
  59. Settings options not showing up on Sub Menu page in WordPress plugin
  60. can’t unzip file
  61. i need to make custom cron_schedule with custom interval time as a parameter into a custom payment gateway plugin wordpress
  62. How to create admin setting for this small plugin
  63. Allow a particular user to access a particular plugin?
  64. Cookie value changes back to previous value after changing
  65. Change plugin descriptions
  66. The Build menu theme is frozen with the wordpress theme
  67. Problem with checked box on wp car manager plugin
  68. How can I translate something in my class constructor of my plugin in WordPress?
  69. Define global variable in theme file and call that variable in plugin file
  70. How to translate to spanish wordpress hardcoded content/files?
  71. update_post_meta is not working for me when I use e.preventDefault for update button
  72. SimpleXML is not working with xml response from external api
  73. How to use Datatable with Ajax when creating plugin on WordPress?
  74. Prefix WordPress Taxonomy Tags With Hashtag Symbol Like Twitter
  75. Change Woo Custom Endpoint Titles from a Plugin
  76. Showing how many times is plugin activated or deactivated
  77. Woocommerce list variations that are added already to cart in Single Product
  78. WordPress Admin sub-level menu issue
  79. Plugin communication between sites that use it?
  80. Passing ajax variable to more than one wordpress plugin function
  81. Form tries to download a file on submit
  82. Populate select option with JSON file
  83. insert multiple entries in database using a loop issue
  84. Escaping and sanitization
  85. Displaying friend’s posts only
  86. Theme editor removes backslashes
  87. Plugin Hook: Get posts
  88. Undefined variable _POST
  89. How use Dynamic hyperlink on each wordpress post?
  90. Unable to show 4 products in a row
  91. What can I do to customize a widget provided with this plugin? from where have I to start?
  92. How can I properly sanitize the update_option in WordPress?
  93. Function not being called on form submit, only blank admin-post.php page
  94. wp_handle_upload – specified file failed upload test
  95. How can I save the selected page in the dropdown after anyone clicks on Save Changes?
  96. How can I save the selected page in the dropdown after anyone clicks on Save Changes?
  97. How to make a Template page to show the information of different things Shop and Product page?
  98. WordPress Throwing Deprecated Errors on its own Files
  99. public custom posts not showing in my wordpress plugin
  100. plugin doesn’t retrieve data from database