Post Reads 659 reads

In this article we are going to see how what is sanitization and escaping.

What is sanitization? What is sanitization?

Getting a secure user input is sanitization.

What is meant by secure user input.

Suppose we have a setting page in WordPress.

We have some text fields in which we have store then into options table.

When user click on save settings then we get that form data and store into the options table.

Before store that data into the options table, we need to sanitize or validate the values and then store them into the option.

Let’s take a simple example:

$value = $_POST['my_field'];
if ( ! empty( $value ) ) {
     update_option( 'my_option', $value );
}

Here we have not sanitize or validate the my_field input value and save it into the option my_option.

Let’s see below example of using sanitization function sanitize_text_field().

$value = sanitize_text_field( $_POST['my_field'] );
if ( ! empty( $value ) ) {
     update_option( 'my_option', $value );
}

here our input value sanitizer and secure value store into the option table.

We have some other sanitization function which we see in below section.

sanitize_email()
sanitize_file_name()
sanitize_html_class()
sanitize_key()
sanitize_meta()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_field()
sanitize_title()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
esc_url_raw()
wp_filter_post_kses()
wp_filter_nohtml_kses()

# Escaping: Securing Output: # Escaping: Securing Output:

esc_html()
esc_url()
esc_js()
esc_attr() 
esc_textarea()

( with Localization )
esc_html__()
esc_html_e()
esc_html_x()
esc_attr__()
esc_attr_e()
esc_attr_x()


Examples ( Sanitize: Secure Input ):

sanitize_email()

$sanitized_email = sanitize_email('     admin@example.com!     ');
echo $sanitized_email;
// It trim whitespace and special character and will
// Output: 'admin@example.com'

sanitize_file_name()

echo sanitize_file_name("_profile pic--1_.png");
// Output "profile-pic-1_.png"


sanitize_html_class()

// If you want to explicitly style a post, you can use the sanitized version of the post title as a class
$post_class = sanitize_html_class( $post->post_title );
echo $post_class;
sanitize_key()
echo sanitize_key("https://WordPress.org");
// Output "httpswordpressorg"


sanitize_meta()

$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );


sanitize_mime_type()

sanitize_mime_type( $mime_type );


sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );


sanitize_sql_orderby()
Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );


sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->, 'title', $title );


sanitize_title()

echo sanitize_title("Sanitizing, in WordPress");
// Output "sanitizing-in-wordpress"


sanitize_title_for_query()

$query['name'] = sanitize_title_for_query( $query['name'] );


sanitize_title_with_dashes()

echo sanitize_title_with_dashes("I'm in LOVE with WordPress!!!1");
// Output: im-in-love-with-wordpress1


sanitize_user()
Only keep alphanumeric, _, space, ., -, @

$user = sanitize_user( $user );


esc_url_raw()
Use esc_url_raw() if you want to store a URL in a database or use in URL redirecting.
Else use esc_url()

$url = esc_url_raw( 'https://wordpress.org/' );


wp_filter_post_kses()
Sanitize content for allowed HTML tags for post content.

$content = wp_filter_post_kses( 'This tag is <p> working</p>.' );


wp_filter_nohtml_kses()
Strips all of the HTML in the content.

$content = wp_filter_nohtml_kses('This tag is <p> working</p>.' );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );


esc_url()

<img src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" data-wpmedia-src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" />


esc_js()

var value = '<?php echo esc_js( $value ); ?>';


esc_attr()
Encodes the , &, ” and ‘ characters.

<?php $fname = ( isset( $_POST['fname'] ) ) ? $_POST['fname'] : ''; ?>
<input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>">


esc_textarea()
Use esc_textarea() instead of esc_html() while displays text in textarea. Because esc_textarea() can double encode entities.

<textarea><?php echo esc_textarea( 'Content goes here.' ); ?></textarea>

( with Localization ) ( with Localization )

esc_html__()

echo esc_html__('Text to translate', 'text-domain');


esc_html_e()

esc_html_e('Text to translate', 'text-domain')


esc_html_e()

esc_html_x('Date translate', 'post date', 'text-domain')


esc_attr__()

echo esc_attr__('Text to translate', 'text-domain');


esc_attr_e()

esc_attr_e('Text to translate', 'text-domain');


esc_attr_x()

esc_attr_x('Date translate', 'post date', 'text-domain')
$clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );

sanitize_mime_type()

sanitize_mime_type( $mime_type );

sanitize_option()

sanitize_option( 'admin_email', 'admin@example.com!' );

sanitize_sql_orderby()

Ensures a string is a valid SQL ‘order by’ clause.

$attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] );

sanitize_text_field()

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Examples ( Escaping: Securing Output ):

esc_html()

echo esc_html( '<strong>text</strong> <b>bold</b>' );

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
%d bloggers like this: