In this article we are going to see how what is sanitization and escaping.
What is sanitization? What is sanitization?
Getting a secure user input is sanitization.
What is meant by secure user input.
Suppose we have a setting page in WordPress.
We have some text fields in which we have store then into options table.
When user click on save settings then we get that form data and store into the options table.
Before store that data into the options table, we need to sanitize or validate the values and then store them into the option.
Let’s take a simple example:
$value = $_POST['my_field']; if ( ! empty( $value ) ) { update_option( 'my_option', $value ); }
Here we have not sanitize or validate the my_field input value and save it into the option my_option
.
Let’s see below example of using sanitization function sanitize_text_field().
$value = sanitize_text_field( $_POST['my_field'] ); if ( ! empty( $value ) ) { update_option( 'my_option', $value ); }
here our input value sanitizer and secure value store into the option table.
We have some other sanitization function which we see in below section.
sanitize_email() sanitize_file_name() sanitize_html_class() sanitize_key() sanitize_meta() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() esc_url_raw() wp_filter_post_kses() wp_filter_nohtml_kses()
# Escaping: Securing Output: # Escaping: Securing Output:
esc_html() esc_url() esc_js() esc_attr() esc_textarea() ( with Localization ) esc_html__() esc_html_e() esc_html_x() esc_attr__() esc_attr_e() esc_attr_x()
Examples ( Sanitize: Secure Input ): Examples ( Sanitize: Secure Input ):
sanitize_email()
[code language="php"] $sanitized_email = sanitize_email(' admin@example.com! '); echo $sanitized_email; // It trim whitespace and special character and will // Output: 'admin@example.com' [/code]
sanitize_file_name()
[code language="php"] echo sanitize_file_name("_profile pic--1_.png"); // Output "profile-pic-1_.png" [/code]
sanitize_html_class()
[code language="php"] // If you want to explicitly style a post, you can use the sanitized version of the post title as a class $post_class = sanitize_html_class( $post->post_title ); echo $post_class; [/code]
[code language="php"] echo sanitize_key("https://WordPress.org"); // Output "httpswordpressorg" [/code]
[code language="php"] $clean_value = sanitize_meta( 'birth-year', $user_input, 'user' ); [/code]
sanitize_mime_type()
[code language="php"] sanitize_mime_type( $mime_type ); [/code]
sanitize_option()
[code language="php"] sanitize_option( 'admin_email', 'admin@example.com!' ); [/code]
sanitize_sql_orderby()
Ensures a string is a valid SQL ‘order by’ clause.
[code language="php"] $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); [/code]
sanitize_text_field()
[code language="php"] $title = sanitize_text_field( $_POST['title'] ); update_post_meta( $post->, 'title', $title ); [/code]
sanitize_title()
[code language="php"] echo sanitize_title("Sanitizing, in WordPress"); // Output "sanitizing-in-wordpress" [/code]
sanitize_title_for_query()
[code language="php"] $query['name'] = sanitize_title_for_query( $query['name'] ); [/code]
sanitize_title_with_dashes()
[code language="php"] echo sanitize_title_with_dashes("I'm in LOVE with WordPress!!!1"); // Output: im-in-love-with-wordpress1 [/code]
sanitize_user()
Only keep alphanumeric, _, space, ., -, @
[code language="php"] $user = sanitize_user( $user ); [/code]
esc_url_raw()
Use esc_url_raw() if you want to store a URL in a database or use in URL redirecting.
Else use esc_url()
[code language="php"] $url = esc_url_raw( 'https://wordpress.org/' ); [/code]
wp_filter_post_kses()
Sanitize content for allowed HTML tags for post content.
[code language="php"] $content = wp_filter_post_kses( 'This tag is <p> working</p>.' ); [/code]
wp_filter_nohtml_kses()
Strips all of the HTML in the content.
[code language="php"] $content = wp_filter_nohtml_kses('This tag is <p> working</p>.' ); [/code]
Examples ( Escaping: Securing Output ): Examples ( Escaping: Securing Output ):
esc_html()
[code language="php"] echo esc_html( '<strong>text</strong> <b>bold</b>' ); [/code]
esc_url()
[code language="php"] <img src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" data-wpmedia-src="<?php echo esc_url( 'https://wordpress.org/logo.png' ); ?>" /> [/code]
esc_js()
[code language="php"] var value = '<?php echo esc_js( $value ); ?>'; [/code]
esc_attr()
Encodes the , &, ” and ‘ characters.
[code language="php"] <?php $fname = ( isset( $_POST['fname'] ) ) ? $_POST['fname'] : ''; ?> <input type="text" name="fname" value="<?php echo esc_attr( $fname ); ?>"> [/code]
esc_textarea()
Use esc_textarea() instead of esc_html() while displays text in textarea. Because esc_textarea() can double encode entities.
[code language="php"] <textarea><?php echo esc_textarea( 'Content goes here.' ); ?></textarea> [/code]
( with Localization ) ( with Localization )
[code language="php"] echo esc_html__('Text to translate', 'text-domain'); [/code]
[code language="php"] esc_html_e('Text to translate', 'text-domain') [/code]
[code language="php"] esc_html_x('Date translate', 'post date', 'text-domain') [/code]
[code language="php"] echo esc_attr__('Text to translate', 'text-domain'); [/code]
[code language="php"] esc_attr_e('Text to translate', 'text-domain'); [/code]
[code language="php"] esc_attr_x('Date translate', 'post date', 'text-domain') [/code]
[code language="php"] $clean_value = sanitize_meta( 'birth-year', $user_input, 'user' ); [/code]
sanitize_mime_type()
[code language="php"]sanitize_mime_type( $mime_type );[/code]
sanitize_option()
[code language="php"] sanitize_option( 'admin_email', 'admin@example.com!' ); [/code]
sanitize_sql_orderby()
Ensures a string is a valid SQL ‘order by’ clause.
[code language="php"] $attr['orderby'] = sanitize_sql_orderby( $attr['orderby'] ); [/code]
sanitize_text_field()
[code language="php"] $title = sanitize_text_field( $_POST['title'] ); update_post_meta( $post->ID, 'title', $title ); [/code]
Examples ( Escaping: Securing Output ): Examples ( Escaping: Securing Output ):
esc_html()
[code language="php"] echo esc_html( '<strong>text</strong> <b>bold</b>' ); [/code]