Validating Sanitizing and Escaping User Data & WordPress Codex
Interested in functions, hooks, classes, or methods? Check out the new !
Validating Sanitizing and Escaping User Data
Your code works, but is it safe? When writing code that will run across hundreds if not thousands of websites, you should be extra cautious of how you handle data coming into WordPress and how it's then presented to the end user. This commonly comes up when building a settings page for your theme, creating and manipulating shortcodes, or saving and rendering extra data associated with a post.
There's a distinction between how input and output are managed, however.
To validate is to ensure the data you've requested of the user matches what they've submitted. T usage obviously depends on the type of fields you'd like to validate. Let's take a look at an example.
Say we have an input area in our form like this:
&input type=&text& id=&my-zipcode& name=&my-zipcode& maxlength=&5& /&
Just like that, we've told the browser to only allow up to five characters of input, but there's no limitation on what characters they can input. They could enter "11221" or "eval(". If we're saving to the database, there's no way we want to give the user unrestricted write access.
This is where validation plays a role. When processing the form, we'll write code to check each field for its proper data type. If it's not of the proper data type, we'll discard it. For instance, to check "my-zipcode" field, we might do something like this:
$safe_zipcode = intval( $_POST['my-zipcode'] );
if ( ! $safe_zipcode ) {
$safe_zipcode = '';
if ( strlen( $safe_zipcode ) & 5 ) {
$safe_zipcode = substr( $safe_zipcode, 0, 5 );
update_post_meta( $post-&ID, 'my_zipcode', $safe_zipcode );
Since the `maxlength` attribute is only enforced by the browser, we still need to validate the length of the input on the server. If we don't, an attacker could manually submit a form with a longer value.
The intval() function casts user input as an integer, and defaults to zero if the input was a non-numeric value. We then check to see if the value ended up as zero. If it did, we'll save an empty value to the database. Otherwise, we'll save the properly validated zipcode.
This style of validation most closely follows WordPress' : only allow the user to input what you're expecting. Luckily, there's a
you can use for most every data type.
Sanitization is a bit more liberal of an approach to accepting user data. We can fall back to using these methods when there's a range of acceptable input.
For instance, if we had a form field like this:
&input type=&text& id=&title& name=&title& /&
We could sanitize the data with the
$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post-&ID, 'title', $title );
Behinds the scenes, the function does the following:
Checks for invalid UTF-8 (uses )
Converts single & characters to entity
Strips all tags
Remove line breaks, tabs and extra white space
Strip octets
The sanitize_*() class of helper functions are super nice for us, as they ensure we're ending up with safe data and require minimal effort on our part:
For security on the other end of the spectrum, we have escaping. To escape is to take the data you may already have and help secure it prior to rendering it for the end user. WordPress thankfully has a
we can use for most of what we'll commonly need to do:
we should use anytime our HTML element encloses a section of data we're outputting.
&h4&&?php echo esc_html( $title ); ?&&/h4&
should be used on all URLs, including those in the 'src' and 'href' attributes of an HTML element.
&img src=&&?php echo esc_url( $great_user_picture_url ); ?&& /&
is intended for inline Javascript.
&a href=&#& onclick=&&?php echo esc_js( $custom_js ); ?&&&Click me&/a&
can be used on everything else that's printed into an HTML element's attribute.
&ul class=&&?php echo esc_attr( $stored_class ); ?&&&
encodes text for use inside a textarea element.
&textarea&&?php echo esc_textarea( $text ); ?&&/textarea&
It's important to note that most WordPress functions properly prepare the data for output, and you don't need to escape again.
&h4&&?php the_title(); ?&&/h4&
To recap: Follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. If it's not the proper type, discard it. When you have a range of data that can be entered, make sure you sanitize it. Escape data as much as possible on output to avoid XSS and malformed HTML.
Take a look through /wp-includes/formatting.php to see all of the sanitization and escaping functions WordPress has to offer.
An earlier version of this article appeared on the . Republished here with permission.
Codex Resources
Code is Poetry.The influence of compound desoxidant on the clean steel producing--《Journal of Xi'an University of Architecture &technology》1994年04期
The influence of compound desoxidant on the clean steel producing
Luan X Sun Xiang (Dept. of Metall., Xi'an Univ. of Arch. & Tech., Xi'an, 710055)
This paper describes the general chemical characters of compound desoxidants, and gives a discussion about the influence of them on the production of clean steel with two kinds of compound desoxidant-SiC
Si-Al-Fe-as examples.
【Key Words】：
【CateGory Index】：
supports all the CNKI
only supports the PDF format.
【References】
Chinese Journal Full-text Database
Huang Xiaobin Sichuan Changcheng Special Steel Company,Pangang G[J];Special Steel T2006-02
Wang Xianke
Wang Deyong
(Lanzhou Donggangzhen Steel Works,Lanzhou,730020);[J];CHINA MOLYBDENUM INDUSTRY;1999-02
【Co-citations】
Chinese Journal Full-text Database
Yang Dazheng
(Anshan Iron and Steel College)
(AISC Chemical Engineering Plant)
(AISC Technology Center);[J];;2001-03
Wang ZQian Xiaoqin Basic Courses D[J];;1992-02
Fan Dlngdong Llu Guoping Jiao Xlngli
(Maanshan Iron & Steel Oo. Ltd. );[J];Anhui M2001-01
Li Yingjiang
(Maanshan Iron & Steel Co. Ltd.);[J];Anhui M2005-01
Jiang GWu GLiu H[J];;1985-01
WANG Ming-dong,JIN Yong-long(School of Materials Science and Engineering,University of Science and Technology Liaoning,Anshan 114051,China);[J];Journal of Anshan University of Science and T2006-05
Jin Yonglong
Xu Nanping
Wu shiying
Zhang Jinhong(Dept. of Metallurgy);[J];JOURNAL OF ANSHAN INSTITUTE OF IRON AND STEEL TECHNOLOGY;1998-04
FANG Min-xian
1, CHEN Jian-gang
1, FENG Qing-fen
2, LIU Rong-sheng
2, DING Hua-dong
(1.Panzhihua Iron & Steel Institute, Panzhihua 617000, C 2.Department of Metallic Materials, Sichuan University, Chengdu 610065, China);[J];Ordnance Material Science and E2002-05
Zhang Chuanfu
(Department of Metallurgical Science and Engineering,Central
South Industry
University of Technology,410083, Changsha, Hunan, China);[J];JOURNAL OF NORTH CHINA UNIVERSITY OF TECHNOLOGY;2000-03
Shi Yuexun
(Northeastern University)
Lin Chengcheng
(Baosteel Ironmaking Department);[J];BAO STEEL TECHNOLOGY;1999-05
China Proceedings of conference Full-text Database
Chu Bin Li Yiwei Xiao Yang (Shanghai No. 1 Iron & Steel Co., Ltd. of Baosteel Group);[A];[C];2005
Wu Wei~1 Liu Liu~1 Liu Yue~1 Liu Ming~2 Li Yangzhou~2 (1. Institute for Metallurgical Technology of CISRI, Beijing . Panzhihua Iron and Steel Research Institute, Panzhihua 617000);[A];[C];2005
Zhao Guoguang Zuo Kanglin Guo Zhenhe (Meishan Steel Making Plant);[A];[C];2005
Sun Wei Xu Jian Zhu Luncai Wang Kaizhong Yan Genfa(Ma'anshan Iron and Steel Co.,Ltd.);[A];[C];2005
SUN Wei,XU Jian,ZHU Lun-cai, WANG Kai-zhong, YAN Gen-fa Ma'anshan Iron and Steel Co. Ltd.,Ma'anshan 243000,C[A];[C];2005
WANG Yi-fang, ZHAO Yan-hua, HU Zhi-gang
(Handan Iron & Steel Group Corporation, Ltd, Handan 056015);[A];[C];2006
Yang Zhongdong, Liu Sulan, Xue Xiangxin, Li Zhefu, Qian Gaowei (School of Material and Metallurgy, Northeastern University, Shenyang 110004, China );[A];[C];2006
Chen Bin, Wang Xinhua (Metallurgical and Ecological Engineering School, USTB, Beijing 100083, China);[A];[C];2006
;[A];[C];2007
HOU Na-na~1,GAO Jin-tao~1,LI Jin~(1,2),LIU Run-zao~1,ZHAO Chuan~1,LI Shi-qi~1,WU Hua-feng~1 (1.Metallurgical and Ecological Engineering School,University of Science and Technology Beijing,Beijing 100083,C 2.Beijing Academy of Environmental Protection,Beijing 100037,China);[A];[C];2008
【Co-references】
Chinese Journal Full-text Database
Jiang Bingyu(Nuclear power Institute of china, chengdu, 610005);[J];Rare Metal Materials and E1993-02
Chen Ruirun, Ding Hongsheng, Bi Weisheng, Guo Jingjie, Jia Jun, Fu Hengzhi
(Harbin Institute of Technology, Harbin 150001, China);[J];Rare Metal Materials and E2005-04
Han Q Tang Li; Zheng GHu Zhigao(University of Science & Technology Beijing)Jia L1andi(Panzhihua Iron & Steel Research Institute);[J];IRON AND STEEL;1994-02
Zhang CTsai CMa ETu HQian Zhanmin(Institute of Chemical Metaiiurgy,Chinese Academy of Sciences);[J];IRON AND STEEL;1994-08
LIN GZHENG CSHI zhe(Beiman Specia l Steel Co.Ltd.);[J];IRON AND STEEL;1995-05
XUE Zhengliang, WANG Yifang WANG Litao, LI Zhengbang, ZHANG Jiawen
1) School of Materials and Metallurgy, Wuhan University of Science and Technology, Wuhan 430081
2) Handan Iron and Steel Group Co., Ltd., Handan 056015
3) Central Iron and Steel Research Institute, Beijing 100081
Correspondent: Xue Zhengliang, professor, Tel: (010), E-mail:
Supported by National Natural Science Foundation of China (Nos. and ) Manuscript received , in revised form ;[J];Acta Metallrugica S2003-04
PAN Shisong, ZHU Miaoyong School of Materials & Metallurgy, Northeastern University, Shenyang 110004;[J];Acta Metallurgica S2007-05
Liao Ming(Iron & SteeL Research Institute of Chongqing Iron & Steel Company);[J];STEELMAKING;1994-02
Hu Chaoqun Chang zhiqian(Zbuzhou Electric Locomotive Plant);[J];STEELMAKING;1995-03
Deng Shaoyan
He Hongcong
(The Iron and Steel Research Institute of Guangzhou Iron & Steel Co.Ltd)
Shi Zhihong
Lin Zhaobing
(The Converter Plant of Guangzhou Iron & Steel Co.Lid.);[J];STEELMAKING;1996-06
Similar Journals
(C)2006 Tsinghua Tongfang Knowledge Network Technology Co., Ltd.(Beijing)(TTKN) All rights reservedThe boy fails _(keep) his room clean and tidy.The old man's neighbors are friendly to him and he lives there h_She j_ out of her bed and runs out of the roomPaul bought a new car.Now he can d_ to work.Simon is swimming a_ the poolMost of the students don't know how to take n_ in class.
镜花水月灬幁
to keephappilyjumpsdriveatnaps希望回答对您有所帮助,请及时采纳,多谢!
为您推荐：
其他类似问题
to keep happily jumpsdrive at notes
做笔记 喂，楼主， take naps 是打盹，不可能
班级里大部分的人不知道上课怎样打盹吧？？？？？上面的答案 是错的。
呵呵，共同学习。。。
扫描下载二维码}