how to sanitizing $_POST with the correct way?

Instead of looping through the array, use this: map_deep( $form_data, ‘sanitize_text_field’ ); (see the User Notes in the function doc: https://developer.wordpress.org/reference/functions/sanitize_text_field/ ) The docs state that Checks for invalid UTF-8, Converts single < characters to entities Strips all tags Removes line breaks, tabs, and extra whitespace Strips percent-encoded characters So you could also use the … Read more

esc_url, esc_url_raw or sanitize_url?

This might be a more useful demonstration: <a href=”<?php echo esc_url( $url ); ?>>I’m printing a URL to the frontend</a> $url = sanitize_url( $_GET[‘user_inputted_data’] ); update_post_meta( $post_id, ‘that_url’, $url ); esc_url is an escaping function, sanitize_url is a sanitising function. Sanitising functions clean incoming data, e.g. removing letters from phone numbers, stripping trailing space etc. … Read more

Escaping get_option( ‘time_format’ ) is nesserary?

Should you escape these? $date_format=”Y/m/d”; $time_format = get_option( ‘time_format’ ); No. That would be early escaping! Early escaping is very bad! However, should you escape this? echo'<td>’.$date .’ ‘.$time.'</td>’; YES. Escaping is not about wether it’s needed or not, if you ever find yourself saying “It shouldn’t be a problem because it’s always a” stop … Read more

Escaping and Special Characters (e.g. &)

If I put <script>alert(‘hello’);</script> in the title of a WordPress page with the default theme the script runs. This is expected behaviour. HTML is typically allowed in titles in WordPress. The standard WordPress function, the_title(), does not escape the title. If you don’t want to allow script tags then you need to sanitize the input … Read more

Escaping Issues

The point of escaping is to make sure that when a value is output, it cannot output anything malicious, or that would just break the markup of the page. For example, when outputting a variable, you will want to escape certain characters so that the value can’t unintentionally open or close HTML tags, which could … Read more

problem with quotes on new post

$post_content=”&quot;Neque porro quisquam est qui dolorem ipsum quia dolor sit amet, consectetur, adipisci velit…&quot;”; Try encoding special characters. See: http://www.w3schools.com/tags/ref_entities.asp & http://php.net/manual/en/function.htmlentities.php