How do you use esc_html for form inputs?

  • Have a search form field that I want to make sure is safe to use.

    How do I incorporate using esc_html?

    I’ve tried using:

    $string = esc_html($string);

    But it’s causing a problem.

    I probably should note that the string ends up being part of the header url.

Viewing 2 replies - 1 through 2 (of 2 total)

  • What problem does it cause ?

    If you are using the variable in a form, it’s probably in an <input> attribute, so you should check esc_attr which is used to escape html in an atribute.

    E.g.
    <input type="text" name="myfield" value="<?php echo esc_attr($string); ?>" />

    Thread Starter Jacorre

    (@jacorre)

    The form field is:

    <input type="text" name="search-string" />

    Then in the processing file that it points to, I’m storing the value as a variable.

    How do I make sure that what the visitor typed in isn’t malicious?

    Because when I use the search string variable it will be in the location header.

    Is esc_html enough or should I use wp_kses? Also having trouble with that one getting to work?

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘How do you use esc_html for form inputs?’ is closed to new replies.

Tags