Sanitize textarea instead of input
Since WordPress 4.7 there is sanitize_textarea_field(). Which does exactly as you want, from the Codex. Sanitizes a multiline string from user input or from the database.
sanitization
Filter string like a slug
You can use sanitize_title() function: $string = “This is title string”; // return “this-is-title-string” $slug = sanitize_title( $string ); You can also filter the result of sanitize_title() function using sanitize_title filter: add_filter( ‘sanitize_title’ , ‘sanitize_filter_callback’, 10, 3 ); function sanitize_filter_callback( $title, $raw_title, $context ) { // do something }
Is default functions like update_post_meta safe to use user inputs?
After upvoting @pieter’s answer…. In recent time I came to the realization that it is much better to handle “bad” data gracefully when it is used (usually it means escaping, but also validation) than at input time. Data corruption can happen not only because of some rouge process “shitting” over your data, but also when … Read more
Multiple register settings, with same option name – issue
Multiple register settings, with same option name – issue
Data Validation: Always escape late / escape HTML Code
I share your frustration. Not because I believe they are wrong (per se), but because late escaping makes for a really awful developer experience and hard to read code. There is currently a shared agreement among most professional-level WordPress developers that late escaping is the gold standard for output security: 10up on Late Escaping WordPress … Read more
How to save html and text in the database?
Just use the wpdb insert and update API, no escaping or sanitizing needed as per the doc, just the raw data. Data: (array) Data to replace (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped). Something like: $wpdb->insert( $wpdb->prefix . “myTable”, array( “doiBody” => $_POST[‘doi-body’] … Read more
where to apply “apply filters” and other Sanitization Functions
I use these commands at the top of my functions.php in all child themes; it will sanitize all POST/GETs. Maybe there are better ways (and it might be redundant), but it appears to work for me. $_POST = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING); $_GET = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING); But I am open to constructive criticism….
Coding a plugin on WordPress; when should I sanitize? [duplicate]
Coding a plugin on WordPress; when should I sanitize? [duplicate]
How to sanitize post meta field value?
HTML in custom fields is, from my point of view, a weird use case of custom fields. Even more if the purpose of the used HTML is just look and feel (<strong> and <i> can be seen as just look and feel). It is really better if you use the HTML markup on the custom … Read more
Must I serialize/sanitize/escape array data before using set_transient?
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more