Sanitize and Save metabox values

  • I am learning WordPress Plugin development. How to Sanitize and Save metabox values in WordPress Plugin ?

    I am using below code.

    
        //Filtering
        $fields = [
            'location_input'        => FILTER_SANITIZE_STRING,
            'temperature'           => FILTER_SANITIZE_STRING,
            
        ];

        // Save values
        foreach ( $fields as $field_name => $flag ) {
            if ( !empty( $field = filter_input( INPUT_POST, $field_name, $flag ) ) ) {
                update_post_meta( $post_id, $field_name, sanitize_text_field( $field ) );
            } else {
                delete_post_meta( $post_id, $field_name );
            }

        }

    Is it enough to Sanitize and Save meta box values ?

Viewing 6 replies - 1 through 6 (of 6 total)

  • If you are developing a wp plugin best to use the wp functions for sanitization.

    e.g.

    sanitize_text_field()
    https://developer.www.ads-software.com/reference/functions/sanitize_text_field/

    see https://developer.www.ads-software.com/themes/theme-security/data-sanitization-escaping/

    Thread Starter mabufoysal

    (@mabufoysal)

    Thanks @alanfuller . I used sanitize_text_field(). Could you please evaluate my code ? Thanks.

    I didn’t even spot that due to your redundant filter_input code which is effectively re performed by the sanitize_text_field

    If you really have only two text fields, I wouldn’t bother with the loop.

    `

    Your approach is safe IMHO but not the way I would handle it.

    Just two fields – simply

    if ( isset( $_POST['location_input'] ) && ! empty( $_POST['location_input'] ) ) {
	update_post_meta( $post_id, 'location_input', sanitize_text_field( $_POST['location_input'] ) );
} else {
	delete_post_meta( $post_id, 'location_input' );
}
if ( isset( $_POST['temperature'] ) && ! empty( $_POST['temperature'] ) ) {
	update_post_meta( $post_id, 'temperature', sanitize_text_field( $_POST['temperature'] ) );
} else {
	delete_post_meta( $post_id, 'temperature' );
}

    If you had lots of fields then an array with the sanitization call may be my approach, it also allows you to build and apply custom sanitizations etc

    
$fields = array(
	'location_input' => 'sanitize_text_field',
	'temperature'    => 'sanitize_text_field',
	'an_url'         => 'sanitize_url',
	'something_else' => 'a_custom_sanitization',
);
foreach ( $fields as $field_name => $sanitize_call_back ) {
	if ( isset( $_POST[ $field_name ] ) && ! empty( $_POST[ $field_name ] ) ) {
		update_post_meta( $post_id, $field_name, $sanitize_call_back( $_POST[ $field_name ] ) );
	} else {
		delete_post_meta( $post_id, $field_name );
	}
}

function a_custom_sanitization( $field ) {
	// do something like preg_replace etc
	return $field;
}
    Thread Starter mabufoysal

    (@mabufoysal)

    Thanks @alanfuller . Could you please evaluate my code ? Is it bad code ? Is there any security issue in my code ? Thanks.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘Sanitize and Save metabox values’ is closed to new replies.