You can use sanitize_title() function: $string = “This is title string”; // return “this-is-title-string” $slug = sanitize_title( $string ); You can also filter the result of sanitize_title() function using sanitize_title filter: add_filter( ‘sanitize_title’ , ‘sanitize_filter_callback’, 10, 3 ); function sanitize_filter_callback( $title, $raw_title, $context ) { // do something }
After upvoting @pieter’s answer…. In recent time I came to the realization that it is much better to handle “bad” data gracefully when it is used (usually it means escaping, but also validation) than at input time. Data corruption can happen not only because of some rouge process “shitting” over your data, but also when … Read more
Multiple register settings, with same option name – issue
I share your frustration. Not because I believe they are wrong (per se), but because late escaping makes for a really awful developer experience and hard to read code. There is currently a shared agreement among most professional-level WordPress developers that late escaping is the gold standard for output security: 10up on Late Escaping WordPress … Read more
Just use the wpdb insert and update API, no escaping or sanitizing needed as per the doc, just the raw data. Data: (array) Data to replace (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped). Something like: $wpdb->insert( $wpdb->prefix . “myTable”, array( “doiBody” => $_POST[‘doi-body’] … Read more
I use these commands at the top of my functions.php in all child themes; it will sanitize all POST/GETs. Maybe there are better ways (and it might be redundant), but it appears to work for me. $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING); $_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING); But I am open to constructive criticism….
Coding a plugin on WordPress; when should I sanitize? [duplicate]
HTML in custom fields is, from my point of view, a weird use case of custom fields. Even more if the purpose of the used HTML is just look and feel (<strong> and <i> can be seen as just look and feel). It is really better if you use the HTML markup on the custom … Read more
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more
After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this: $the_comment = get_comment_text(); echo ‘<p>’ . esc_html($the_comment) . ‘</p>’; Instead of simply using the function like this: comment_text(); Why even have these handy functions in the first place, … Read more