What is the proper way to sanitize $_POST and $_GET vars?

If I understand correctly, WordPress automatically applies a wp_slash() on the global $_POST variable: should this means that for any $_POST variable, prior to saving to the DB, we should first unslash it? Which one of the following solution is the correct one?

Is the $_GET variable also slashed? Do we need to apply the same process?

I searched the WordPress Github repository and found no evidence for it:

https://github.com/search?q=repo%3AWordPress%2FWordPress+wp_slash&type=code&p=1

In truth sanitisation is quite straight forward, especially if we rephrase the question in terms of food. Normally we clean food before we cook it, so it makes no sense to ask if you should clean each bite of food before putting it in your mouth. Sanitising is cleaning data.

Likewise sanitisation is only part of the story. Sanitising is cleaning, but washing a car does not make it edible. You need to sanitise, validate, and escape.

  • sanitise at the moment the data is ingested/retrieved
    • we do this to clean the data and make it suitable for processing
    • e.g. removing trailing spaces, remove letters from values that are numbers, enforcing character case etc
  • validate immediately afterwards
    • validation tests to see if the value has the appropriate format. E.g. “banana” is a string, and would pass sanitisation, but it is not a valid date. Likewise we can sanitise " 5 " to the number 5 but 5 is too short to be a phone number.
    • validation returns a true or false, it either is or is not valid
  • escape, this is very important but unfortunately forgotten by most. Escaping is like a cookie cutter, it guarantees the output of data. For example echo esc_url( $url ) always outputs a URL, even if $url is not a URL. The result may be garbage and of no use, but it will be a URL and thus will be safe to use in places such as <a href=" as we know it can’t break out of that attribute.

Which functions you use to perform these tasks are super specific to the situation and context. There is no catch all sanitize_everything function, just like there is no universal validate_variable function, because doing so would require a human being.

At which point should we sanitize data? In the two following examples, I am applying the sanitize_text_field() function before, or after an in_array() check. Which one of them is the more appropriate?

The goal of sanitisation is to clean data before processing, it’s not just about security. Sanitising something does not automatically make it safe.

For example, consider this code:

$input = $_GET['search'];
if ( $input == 'test' ) {
    echo 'you searched for test';
}

It would fail if search was given a value that started with a space, or if the user searched for TEST, etc. Sanitisation normalises the value before processing, not just to make it secure, but to prevent bugs.

WordPress provides some helper functions to assist with sanitising inputs, but it only does a few things, and you can and should do additional checks based on the type of data you are ingesting.

https://developer.wordpress.org/reference/functions/sanitize_text_field/

  • Checks for invalid UTF-8,
  • Converts single < characters to entities
  • Strips all tags
  • Removes line breaks, tabs, and extra whitespace
  • Strips percent-encoded characters

As you can see sanitize_text_field would be inappropriate for a HTML fragment, and doesn’t do enough sanitation for more specific fields such as numerical fields or date fields. It also won’t validate the text field contains the type of value you expect it to contain.

we should first unslash it?

Even if WordPress did this, which I can find no evidence that it does, you would only do this if you needed to do this, which would become very obvious very quickly. If you need to ask the question then either you haven’t attempted to use POST variables or the answer is no.

On a final note, these nested if statements are unnecessary, and would be much better if they were guards that returned early:

     global $theme_options;
     if (!empty($query->is_search)) {
        if (!empty($theme_options['allowed_search_post_types'])) {
           if (isset($_GET['post_type']) && $_GET['post_type'] !== '') {
                 // code...

vs

function mytheme__customsearch_pre_get_posts($query) {
    global $theme_options;
    if ( empty($query->is_search ) ) {
        return;
    }
    if ( empty($theme_options['allowed_search_post_types']) ) {
        return;
    }
    if ( empty($_GET['post_type'])) {
        return;
    }
    // code...

The resulting code has a lower cyclomatic complexity, is prone to fewer mistakes and bugs, and is easier to read and extend despite doing the same thing.

Also note the use of tabs for indentation. WP coding standards use a tab shown via 4 spaces, unlike the 6 space configuration used in the code.

You could also have filtered the post type registration to disable search.

Related Posts:

  1. Should I sanitize an email address before passing it to the is_email() function?
  2. Escaping and sanitizing SVGs in metabox textarea
  3. What is the difference between wp_strip_all_tags and wp_filter_nohtml_kses?
  4. Reason for Lowercase usernames
  5. What is the best way to sanitize data?
  6. Should nonce be sanitized?
  7. esc_url removes white space. Can I change that to using ‘-‘?
  8. WP Coding standards – escaping the inescapable?
  9. Sanitatizing when using the posts_where hook
  10. Escape hexadecimals/rgba values
  11. Must I serialize/sanitize/escape array data before using set_transient?
  12. Echo JavaScript Safely
  13. wp_kses ignore allowed and allow everything
  14. Sanitize array callback for the WordPress Settings API
  15. How to escape $_GET and check if isset?
  16. What’s a safe / good way to output HTML safely within WordPress templates?
  17. Do Not Understand → Rule No. 4: Making Data Safe Is About Context [closed]
  18. Sanitizing output that contains quotes?
  19. WP_Customize_Manager: How to get control ID
  20. How to use wp_filter_oembed_result?
  21. Sanitization html output itself
  22. Post text sanitization after publishing/editing – changes are not saved
  23. wp_set_object_terms() without accents
  24. Escaping data from database (users table) is necessary?
  25. Properly sanitize an input field “Name “
  26. Sanitize a custom date meta field
  27. what is a good method to sanitize the whole $_POST array in php?
  28. Data sanitization: Best Practices with code examples
  29. How safe / sanitized is wp_insert_posts()?
  30. How to safely sanitize a textarea which takes full HTML input
  31. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  32. is_email() VS sanitize_email()
  33. Is sanitize_text_field() is enough to save to DB?
  34. What is the difference between esc_html and wp_filter_nohtml_kses?
  35. How to escape custom css?
  36. Escaping quotes from shortcode attributes
  37. Sanitation needed for WP_Query or get_posts calls?
  38. How to allow HTML tags into WP Bakery (formerly Visual Composer) `textfield` parameter
  39. Do Cookies Need to be Sanatized Before Being Saved?
  40. Default WordPress settings API data sanitization
  41. What is the difference between strip_tags and wp_filter_nohtml_kses?
  42. Should I sanitize custom post meta if it is going to be escaped later?
  43. How to display data from custom table in wordpress database?
  44. Remove tinyMCE from admin and replace with textarea
  45. wp_sanitize_redirect strips out @ signs (even from parameters) — why?
  46. array_map() for sanitizing $_POST
  47. Correct processing of `$_POST`, following WordPress Coding Standards
  48. why is esc_html() returning nothing given a string containing a high-bit character?
  49. How Could I sanitize the receive data from this code
  50. Who is responsible for data sanitization in WordPress development?
  51. Settings API – sanitize_callback is not called and it leads to an incorrect behavior
  52. Best Practice for Validating and Sanitizing Data
  53. Storing HTML in wp_options
  54. Do We Need to Validate, Sanitize, or Filter Simple Numerical Superglobals (Cookies and Post)?
  55. What is the proper way to validate and sanitize JSON response from REST API?
  56. MITM risk of not sanitizing?
  57. Which escape function to use when escaping an email or plain text?
  58. Modify automatically generation of slug when term is created
  59. Can i use the same sanitize function on multiple theme mod textboxes?
  60. What function removes apostrophes when making a slug?
  61. How to sanitize uploaded file filename from a plugin?
  62. Is wp_kses the right approach in sanitizing this string?
  63. Seeking clarity on data sanitization fields for settings textarea
  64. Customizer: Category Select Sanitize
  65. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  66. Theme Customizier sanitize_callback not working
  67. Change wp_sanitize function?
  68. What data sanitzation function should be used to store entire source code of webpage?
  69. What functions does WordPress use for filtering / sanitizing comments?
  70. Why the WP Core team does not allow filter_* functions? [closed]
  71. data-type=”” … needed post tags stripped of characters
  72. wordpress is adding a second backslash when I use addslashes
  73. WordPress messes up with data attributes in shortcode output
  74. confused about sanitize_email after is_email [duplicate]
  75. Trouble creating custom sanitization function for user list dropdown
  76. Invalidate username if it contains @ symbol
  77. Contact Form Security
  78. How to allow certain PHP functions when using sanitize_callback in the word press customizer
  79. Input sanitation
  80. Display the line breaks in user bio without using html
  81. Change user nicename without sanitize
  82. HTML in category name
  83. How can I apply custom sanitization to new usernames?
  84. How do I sanitize the str_replace function in javascript variables
  85. Sanitizing textarea for wp_insert_post with TinyMCE enabled or disabled
  86. Safely store code(html/js..) into database
  87. Do I need to sanitize $_POST[‘keyword’] before send to ‘s’ parameter?
  88. Can non-latin characters appear in slugs?
  89. Data Validation & Sanitization for Big HTML Blocks
  90. Where is the HTML-handler part in the wpdb class?
  91. I need to get the control choices to sanitize_callback
  92. Can we validate data from jquery
  93. Escaping WP_Query tax_query when term has special character(s)
  94. Trouble creating custom sanitization function when uploading video files
  95. Custom-Metaboxes-and-Fields text_url field prepending http://
  96. Settings api sanatize callback not being triggered
  97. Data validation for inline javascript
  98. How to return responsive images from a sanitize_callback?
  99. esc_url, esc_url_raw or sanitize_url?
  100. how to sanitizing $_POST with the correct way?
tech