Validating, Sanitizing, and Escaping User Data in WordPress Development

"Never trust user-supplied data" is one of the golden rules of program development. A secure WordPress theme or plugin, or any other web program, needs to do at least the following three things to ensure that the process of using user data is basically safesafetyThe

• Before processing the user input, we need to validate the data provided by the user to ensure that the format of the data provided by the user meets our requirements.
• Before saving the data entered by the user in the database, the data is purified (sanitized) to prevent some accidental data saved in the database from bringing bugs or security files.
• When we take out the data from the database and output it to the front-end, we also need to perform an escape operation on the data to prevent some unexpected characters from causing typographical confusion.

Validating the user's data format prior to processing

Validating the data format is to ensure that the data submitted by the user is the same as what we need, WordPress provides aSeveral validation methodsto help us with data format validation, which one to use depends on the type of data we need to validate.

Suppose, we have a text field inside our form:

<input type="text" id="zipcode" name ="zipcode" maxlength ="5"/>

In the above field, we have used the “maxlenght” attribute to restrict the user to input up to 5 characters, but there is no restriction on what type of characters the user can input, the user can input “12345” or "abcde ", but zip codes are numeric data, so if the user enters non-numeric characters, it obviously does not meet our requirements.

This is the time to validate the user's data. When processing the form, we need to check that the data submitted by the user for each field is in the format we need, in this example, we can validate the “zipcode” field using the following code:

$safe_zipcode = intval($_POST ['zipcode']);
if(!$safe_zipcode){
  $safe_zipcode = '';
}

if(strlen($safe_zipcode) > 5){
  $safe_zipcode = substr($safe_zipcode,0,5);
}

update_post_meta($post-> ID,'zipcode', $safe_zipcode);

The "maxlenght" attribute check of the form is only performed by the browser, but there are some browsers that don't support this attribute, and the user can bypass the browser check to manually enter longer characters, so even if the front-end does the checking, we still need to check the data on the server.

The "intval" function can force the user input data to be converted to an integer. If the user inputs a value that is not of integer type, it will be converted to 0, and then we can check if the value is 0 to know whether the user input data is valid or not.

This style of validation is closest to the WordPressWhitelisting Concept: Only allow the user to enter what you expect. WordPress provides a number of handy helper functions to help us deal with most data types.

Sanitizing user data before saving to the database

In contrast to the data validation above, purifying (sanitizing) user data is freer to use, and we can call these methods to sanitize user input when we are not so strict about the format of the user input.

For example, we have this field in our form:

<input type="text" id="title" name="title" />

We can use the sanitize_text_field() function to clean up non-conforming characters in user input data.

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );;

This function quietly does a lot of things for us behind the scenes, roughly as follows:

• Check for invalid UTF-8 (using the wp_check_invalid_utf8 function)
• Convert a single < character to an HTML entity
• Delete all tags
• Remove line breaks, tabs and extra white space
• Deletion of octet characters

In addition to the sanitize_text_field function, we can use the following functions to sanitize user-supplied data.

• sanitize_email() Remove all characters that are not allowed in an e-mail address
• sanitize_file_name() Remove all characters that are not allowed in file names
• sanitize_html_class() Clean up the html class name to make sure it contains only valid characters
• sanitize_key() Clear all characters that cannot be used as data keys
• sanitize_meta() Clean up all characters that cannot be used as custom fields
• sanitize_mime_type() Clear all characters that are not Mime types
• sanitize_option() Clean up the various option values based on the nature of the options
• sanitize_sql_orderby() Cleaning up the SQL orderby attribute
• sanitize_text_field() Clear user input to plain text fields
• sanitize_textarea_field() Clears user input to plain text fields, but retains line breaks
• sanitize_title() Clean up data used to convert user input to match article aliases
• sanitize_title_for_query() Cleans up user input into a format that matches the article alias, in the context of "query", and is used to query data from the data using that data.
• sanitize_title_with_dashes() Clean up the headings and replace spaces with dashes.
• sanitize_user() Cleansing user data to match WordPress usernames

Escaping user data on output

In order to prevent the problem of outputting invalid data, we need to escape the data provided by the user when outputting the data.WordPress provides us with several escape functions to help us escape the following types of data.

esc_html() In the use of HTML to wrap the data we need to output, you should use this function to escape the data, in order to prevent the data in the HTML form to destroy the HTML structure, resulting in typographical confusion. The function is used as follows:

<h4><?php echo esc_html( $title ); ?></h4>

esc_url() This function should be used to escape data when we need to output a string of URLs, such as URLs for the src and href attributes.

<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />

esc_js() is used to transform inline JavaScript code, as follows:

<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>

esc_attr() We can use this function to escape user data when we need to output user data as attribute values of HTML elements. The following is an example:

<ul class="">

esc_textarea() Escape text for use in textarea elements.

Whether or not the appropriate processing of user-supplied data is the basic criterion for judging whether a WordPress theme and plugin is excellent or not, in the development of WordPress themes and plugins, mainly involving the need to deal with the user's data, we have to consider the use of validation, purification, escaping operations to ensure security, so as to minimize plugin Bugs and security holes, the Develop an excellent and stable theme or plugin.