Instead of using add_settings_section() and add_settings_field() every time, create a function that returns an array of options for example: function my_theme_options() { $options = array(); $options[] = array( ‘id’ => ‘ID’, ‘title’ => ‘Title’, ‘type’ => ‘text_field’, // use this value to sanitize/validate input ‘validate’ => ‘url’ // use this value to validate the text … Read more
You can use wpdb insert function. It’s better in every way. It can care about data’s escapeing itself and it’s shorter. You can use your own query anyway but I would recommended this article for reading https://codex.wordpress.org/Data_Validation#Database
From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more
No the sanitization is already done. Well the mysql_real_escape_string is done, it’s considered bad form to filter html on input. I personally think doing it on output kinda breaches DRY. If you did in WordPress I highly suspect somewhere else will do it again resulting in double html entities encoding. Also by the way, wpdb::insert … Read more
You’ll a need a real CSS parser like this one to filter the CSS. Regular expressions or simple string replacements are not safe enough.
For integers KSES has no special function. Use (int) or intval() or absint() See more: Data Validation – Integers
Uppercase characters are not blocked in usernames on single site setups. Uppercase characters ARE blocked in usernames on multisite setups. The wpmu_validate_user_signup function forces lowercase a-z and numbers 0-9 only.
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more
esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS. I use the PHP filter_input function then escape it as I would any untrusted variable. $url = filter_input( INPUT_GET, ‘some_query_string’, FILTER_VALIDATE_URL ); echo ‘<a href=”‘. esc_url( $url ). ‘”>Click Me</a>’; The PHP filter input accepts: Validate filters Sanitize filters Other filters Additional Filter flags