When building any sort of web application you need to have a focus on security, one area of security that is a must is data validation.
Data in your web application can come from many sources the system users, third parties or your own database, everything needs to be validated before stored in your database.
Don't trust any sort of input from the user of system. If the user has to type something into an input field then most likely this value will either be used to add data into the database or get data from the database. Therefore you are giving this data access to your database...don't trust it.
Data coming from malicious users is the most common reason for security problems. This can be buffer overflow, SQL injection, Cross site scripting XSS etc. This is why you must validate any inputs in your web application.
In terms of WordPress if you have developed a plugin with a settings panel then you must make sure that you validate these inputs. You might think that this is in the admin area, an admin isn't going to try SQL injection on their own site? But what if this is in a multi author site, a number of different people could have access to the plugin settings page.
Luckily with WordPress it comes with a number of built in functions to help with data validation.
Output As Integer
If you have a variable in PHP and you want to make sure that this is always going to be an integer then you have two options you can either use the PHP function intval( $int ) or you can cast the variable to a integer by using (int) $int.
intval( $int ); echo intval(42); // 42 echo intval(4.2); // 4 echo intval('42'); // 42 echo intval('+42'); // 42 echo intval('-42'); // -42 echo intval(042); // 34 echo intval('042'); // 42 echo intval(1e10); // 1410065408 echo intval('1e10'); // 1 echo intval(0x1A); // 26 echo intval(42000000); // 42000000 echo intval(420000000000000000000); // 0 echo intval('420000000000000000000'); // 2147483647 echo intval(42, 8); // 42 echo intval('42', 8); // 34 echo intval(array()); // 0 echo intval(array('foo', 'bar')); // 1
The output of these will be the same but for performance I tend to use the casting option.
Output As Float
If you want to check if the variable value is a float then you can use the PHP function floatval( $float ).
$var = '122.34343The'; $float_value_of_var = floatval($var); echo $float_value_of_var; // 122.34343
Or you can cast the value by using the (float) cast.
$var = '122.34343The'; $float_value_of_var = (float) $var; echo $float_value_of_var; // 122.34343
Validate HTML Elements
When you need to make sure that the output HTML element from the server-side is correctly formed you can use the WordPress function wp_kses(). This function makes sure that only allowed HTML elements, attribute names and values are allowed in the string.
The wp_kses function is called with 3 parameters.
- $string - The provided string to validate.
- $allowed_html - A array of allowed HTML elements.
- $allowed_protocols - Is an optional parameter of trusted protocols.
Encode Text For A Textarea
When you are displaying text from a database to be displayed inside a textarea you should escape the characters to make sure they render correctly in a textarea.
WordPress comes with the function esc_textarea ($val) which is used to escape text for use inside a textarea.
Escape HTML Attributes
When display input fields from the server-side there will be times when you have dynamic HTML attributes such as name, id, value, class. Using the WordPress function esc_attr( $val ) you can make sure the the values added to the HTML attribute is escaped of special characters.
<?php echo ''; ?>
If you need to echo the return of this function it is recommended that you use the function esc_attr_e().
WordPress comes with the function esc_js($val), which will escape single quotes, htmlspecialchar " &, and fix line endings.
When you need to escape URL's you should always use the function esc_url(). This function will make sure that the URL provide has an accepted protocol, it will remove invalid characters, and encode special characters to be valid for URLs.
The esc_url function should be used when you displaying the URL in a textbox, input attribute or on the page. If you want to store the value in a database or use the URL to redirect the user you should use the function esc_url_raw().
Sanitize A String
When you get input from a user you need to sanitize the value to make sure that you encode any characters, strip tags, remove line breaks, tabs and white space.
Using the WordPress function sanitize_text_field ($val) it will sanitize the input and return a string safe to be stored in the database.
$safe_string = sanitize_text_field ($val);
Sanitize A String For URL
When you create a new post in WordPress it will take the title of the post and sanitize it to be used in the URL of the post. To do this WordPress has a function sanitize_title() which will take a string a will return a URL slug of the string.
This function will remove any HTML or PHP tags and replace all spaces with a hyphen.
$new_url = sanitize_title('Wordpress will convert this to be used in the URL of the post'); echo $new_url; //wordpress-will-convert-this-to-be-used-in-the-URL-of-the-post
Sanitize HTML Class Name
If you need to print out a HTML class name you should use the function sanitize_html_class(). This function makes sure that there are no invalid characters in the HTML class name.
echo ' <div class="' . esc_attr( sanitize_html_class($post_class) ) . '">';
Sanitize File Name
When you are storing file names you need to make sure that you use the WordPress function sanitize_file_name(). This function will remove any invalid characters that are not allowed in file names and will replace any whitespace with dashes.
Sanitize Email Address
To make sure that an email address only has valid characters WordPress has a function sanitize_email() which makes sure that the email address has no invalid characters.
Validate Email Address
To check that the input data email address is a valid email address WordPress has a function is_email(). This will return a boolean value true if the email address is valid.