You can use below WordPress function to sanitize the value: sanitize_text_field( $_POST[‘keyword’] ); You can also check more detail here: https://developer.wordpress.org/reference/functions/sanitize_text_field/
How to allow arbitrary inline CSS in posts?
Good on you for trying to do this properly – but… how about this? global $wp; echo esc_url( home_url( $wp->request ) ); EDIT: Versions of your above code have been written all over the internet – see this SO question with 000s of votes. rather UN-intuitively it’s not a super simple thing to do as … Read more
HTML Img with data:image src gets sanitized in admin?
You sanitization callback function get passed all the values that correspond with the setting name. When a POST request is made to the options.php file from the page on which your settings resides, WordPress calls your sanitization callback in a way that would resemble this: <?php boj_myplugin_validate_options( $_POST[‘boj_myplugin_options’] ); Notice that the name attribute looks … Read more
So checked is fairly simple to understand. It compares the first two values. If they’re equal, it spits out checked=”checked” if they aren’t equal nothing happens. <?php $saved = ‘on’; $compare=”on” // spits out checked=”checked” checked($saved, $compare); $saved = ‘off’; // does nothing checked($saved, $compare); How you save check boxes it up to you. Because … Read more
@Ravs… got it with this: $title = sanitize_title($title); Thank you for your help!
When you call register_setting, the third parameter is the sanitize callback function. You can do whatever data manipulation you need in that function, in order to arrange the user input into the format you need for your code. So after the data validation (integers are integers, sanitize text fields, etc.), you can retrieve the current … Read more
You should scape data when displaying it, not when saving. To sanitize, I think the best choice in this case is sanitize_text_field() if( isset( $_POST[‘my_meta_box_select’] ) ) { update_post_meta( $post_id, ‘my_meta_box_select’, sanitize_text_field( $_POST[‘my_meta_box_select’] ) ); } Then, only if you are going use the data as attribute you should use esc_attr(): $selected = isset( $values[‘my_meta_box_select’] … Read more
there are two possible injection vectors, server side and client side server side – Just don’t write your own SQL and use the more high level DB access APIs, in your case probably update_option. If you must to access the DB at lower level make sure the API use wpdb::prepare while generating the SQL, which … Read more