DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. Data Validation With WordPress

Data Validation With WordPress

Paul Underwood user avatar by
Paul Underwood
·
Dec. 26, 12 · Interview
Like (0)
Save
Tweet
Share
3.35K Views

Join the DZone community and get the full member experience.

Join For Free

When building any sort of web application you need to have a focus on security, one area of security that is a must is data validation.

Data in your web application can come from many sources the system users, third parties or your own database, everything needs to be validated before stored in your database.

Don't trust any sort of input from the user of system. If the user has to type something into an input field then most likely this value will either be used to add data into the database or get data from the database. Therefore you are giving this data access to your database...don't trust it.

Data coming from malicious users is the most common reason for security problems. This can be buffer overflow, SQL injection, Cross site scripting XSS etc. This is why you must validate any inputs in your web application.

In terms of WordPress if you have developed a plugin with a settings panel then you must make sure that you validate these inputs. You might think that this is in the admin area, an admin isn't going to try SQL injection on their own site? But what if this is in a multi author site, a number of different people could have access to the plugin settings page.

Luckily with WordPress it comes with a number of built in functions to help with data validation.

Output As Integer

If you have a variable in PHP and you want to make sure that this is always going to be an integer then you have two options you can either use the PHP function intval( $int ) or you can cast the variable to a integer by using (int) $int.

intval( $int );
echo intval(42);                      // 42
echo intval(4.2);                     // 4
echo intval('42');                    // 42
echo intval('+42');                   // 42
echo intval('-42');                   // -42
echo intval(042);                     // 34
echo intval('042');                   // 42
echo intval(1e10);                    // 1410065408
echo intval('1e10');                  // 1
echo intval(0x1A);                    // 26
echo intval(42000000);                // 42000000
echo intval(420000000000000000000);   // 0
echo intval('420000000000000000000'); // 2147483647
echo intval(42, 8);                   // 42
echo intval('42', 8);                 // 34
echo intval(array());                 // 0
echo intval(array('foo', 'bar'));     // 1

(int) $int

The output of these will be the same but for performance I tend to use the casting option.

Output As Float

If you want to check if the variable value is a float then you can use the PHP function floatval( $float ).

$var = '122.34343The';
$float_value_of_var = floatval($var);
echo $float_value_of_var; // 122.34343

Or you can cast the value by using the (float) cast.

$var = '122.34343The';
$float_value_of_var = (float) $var;
echo $float_value_of_var; // 122.34343

Validate HTML Elements

When you need to make sure that the output HTML element from the server-side is correctly formed you can use the WordPress function wp_kses(). This function makes sure that only allowed HTML elements, attribute names and values are allowed in the string.

The wp_kses function is called with 3 parameters.

  • $string - The provided string to validate.
  • $allowed_html - A array of allowed HTML elements.
  • $allowed_protocols - Is an optional parameter of trusted protocols.

Encode Text For A Textarea

When you are displaying text from a database to be displayed inside a textarea you should escape the characters to make sure they render correctly in a textarea.

WordPress comes with the function esc_textarea ($val) which is used to escape text for use inside a textarea.

Escape HTML Attributes

When display input fields from the server-side there will be times when you have dynamic HTML attributes such as name, id, value, class. Using the WordPress function esc_attr( $val ) you can make sure the the values added to the HTML attribute is escaped of special characters.

<?php echo '';  ?>

If you need to echo the return of this function it is recommended that you use the function esc_attr_e().

Escape Javascript

If you need to output Javascript inside a onclick attribute then the values you enter in this need to be escaped.

WordPress comes with the function esc_js($val), which will escape single quotes, htmlspecialchar " &, and fix line endings.

Escape URLs

When you need to escape URL's you should always use the function esc_url(). This function will make sure that the URL provide has an accepted protocol, it will remove invalid characters, and encode special characters to be valid for URLs.

The esc_url function should be used when you displaying the URL in a textbox, input attribute or on the page. If you want to store the value in a database or use the URL to redirect the user you should use the function esc_url_raw().

Sanitize A String

When you get input from a user you need to sanitize the value to make sure that you encode any characters, strip tags, remove line breaks, tabs and white space.

Using the WordPress function sanitize_text_field ($val) it will sanitize the input and return a string safe to be stored in the database.

$safe_string = sanitize_text_field ($val);

Sanitize A String For URL

When you create a new post in WordPress it will take the title of the post and sanitize it to be used in the URL of the post. To do this WordPress has a function sanitize_title() which will take a string a will return a URL slug of the string.

This function will remove any HTML or PHP tags and replace all spaces with a hyphen.

$new_url = sanitize_title('Wordpress will convert this to be used in the URL of the post');
echo $new_url; //wordpress-will-convert-this-to-be-used-in-the-URL-of-the-post

Sanitize HTML Class Name

If you need to print out a HTML class name you should use the function sanitize_html_class(). This function makes sure that there are no invalid characters in the HTML class name.

echo '
<div class="' . esc_attr( sanitize_html_class($post_class) ) . '">';

Sanitize File Name

When you are storing file names you need to make sure that you use the WordPress function sanitize_file_name(). This function will remove any invalid characters that are not allowed in file names and will replace any whitespace with dashes.

Sanitize Email Address

To make sure that an email address only has valid characters WordPress has a function sanitize_email() which makes sure that the email address has no invalid characters.

Validate Email Address

To check that the input data email address is a valid email address WordPress has a function is_email(). This will return a boolean value true if the email address is valid.



WordPress Data (computing) Data validation Data Types HTML Web application

Published at DZone with permission of Paul Underwood, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • How Observability Is Redefining Developer Roles
  • Fraud Detection With Apache Kafka, KSQL, and Apache Flink
  • Upgrade Guide To Spring Data Elasticsearch 5.0
  • How To Create and Edit Excel XLSX Documents in Java

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: