WordPress gives you native functions to Validate, sanitize and escape data in your WordPress application. In this article I’ll show you WordPress’s functions for doing this and provide theoretical context as well as examples of how to use these functions.
Table of Contents
- What is User Data in WordPress
- Why do you need to ‘disinfect’ Data in WordPress?
- How Plugins Sanitize, Validate and Escape Data in WordPress
- Learn WordPress customization throughly with an online course at Udemy
What is User Data in WordPress
User Data in WordPress is any kind of information you take from the end user. This is most likely Form Data that a user fills out on your site but could also be information from the URL the user is loading. This later kind is known as URL Parameters or $_GET Variables.
Why do you need to ‘disinfect’ Data in a WordPress site?
You ‘disinfect’ or ‘sanitize’ and ‘pre-process’ (validate and escape) User Data in WordPress sites for two reasons mainly.
The first is security and the second is data integrity.
Security: User Data is one of the easiest ways a Hacker could hack your website or database and as such pre-processing the User Data before you save it into the database (after a form submission for example) so that they cannot manipulate your site easily.
PROTIP: Hacking a WordPress site is quite popular for hackers. This is because WordPress is one of the most common pieces of software on the web and as such is a large and easy target for hackers.
Data Integrity:
Before allowing User Data into your Database you want to check (validate) that the data that they are entering is as expected. For example, if an ‘date’ input field has letters in it we know that the user has not entered a properly formatted number to represent the date. We know we don’t want this kind of format and so validating the User Data before accepting the data into the database can help you to keep ‘data integrity’ within your site.
If you were to later try and print this date out or use it in some other kind of way like in an MYSQL query then it would probably fail at worst and at least require extra work for you to make it readable – which you want to try and avoid.
What is ‘Sanitization’ in WordPress?
Sanitization in WordPress means that you basically run your User Data through one of a list of sanitization functions. These functions will perform certain checks and make sure the user data is appropriate for what its being used for.
For example, sanitize_email(), is the sanitization function you’d use on an email field from a form for example. This function, if you go look at what it is doing in the WordPress Codex, is running the User Data through a bunch of checks and balances and removing certain characters or validating the user data to make sure it fits the format of an email address.
Once your User Data has been passed through this function the ‘clean’ result is returned to us and we can carry on writing code.
The full list of functions can be seen in the official documentation but here is a list below.
- sanitize_email()
- sanitize_file_name()
- sanitize_html_class()
- sanitize_key()
- sanitize_meta()
- sanitize_mime_type()
- sanitize_option()
- sanitize_sql_orderby()
- sanitize_text_field()
- sanitize_title()
- sanitize_title_for_query()
- sanitize_title_with_dashes()
- sanitize_user()
- esc_url_raw()
- wp_filter_post_kses()
- wp_filter_nohtml_kses()
How to use WordPress’s Sanitization Functions:
In your application you can write some PHP to use the above functions like this,
NOTE: You should do the below at the earliest point possible in your application so that there is no place in which you can use the ‘dirty’ version.
<?php
$cleanEmail = sanitize_email($_REQUEST['dirtyEmail']);
// at this point you can refer to $cleanEmail is the variable you would use for the rest of your application
What is ‘Validation’ in WordPress?
‘Validation’ in WordPress is really just ‘making sure data is accurate’ before using it or that it is present in the case of ‘required fields’. So, making sure an email address is formatted correctly before submitting a form or making sure a date is in the correct format.
WordPress again gives you some functions to deal with this but also PHP has some of its own native functions which can help.
WordPress gives you,
- is_email() will validate whether an email address is valid.
- term_exists() checks whether a tag, category, or other taxonomy term exists.
- username_exists() checks if username exists.
- validate_file() will validate that an entered file path is a real path (but not whether the file exists).
and PHP gives you,
- isset() and empty() for checking whether a variable exists and isn’t blank
- mb_strlen() or strlen() for checking that a string has the expected number of characters
- preg_match(), strpos() for checking for occurrences of certain strings in other strings
- count() for checking how many items are in an array
- in_array() for checking whether something exists in an array
You can see more on validation in the WordPress documentation for plugin developers.
How to use WordPress’s Validation Functions
In your application, before you submit a form for example, you could do something like the below to validate before you carry on with your application.
<?php
if(is_email($cleanEmail)){
// carry on with your application
}else{
// alert the user to the validation error in the form
}
What is it to ‘Escape Data’ in WordPress?
Escaping Data in WordPress is different from ‘sanitization’ and ‘validation’ in that escaping data happens when you are outputting it from the WordPress database. The former processes happen before user data is put into the database.
Escaping your data with WordPress’s native functions means that you will remove any unwanted HTML or other characters from data before it is presented to the user.
WordPress gives you some functions to escape data as below,
- esc_html() – Use this function anytime an HTML element encloses a section of data being displayed.
- esc_url() – Use this function on all URLs, including those in the src and href attributes of an HTML element.
- esc_js() – Use this function for inline Javascript.
- esc_attr() – Use this function on everything else that’s printed into an HTML element’s attribute.
- esc_textarea() – encodes text for use inside a textarea element.
You can read more about escaping data in WordPress in its documentation here.
How to use WordPress’s Escape Functions
When you are printing stuff to screen you can use escape functions like so.
<?php
<a href="<?php echo esc_url($url); ?>"/>Your Link</a>
How Plugins Sanitize, Validate and Escape Data in WordPress
Plugins which you install in WordPress rely on these functions to create safe ways to extend the functionality of a WordPress site. Plugin developers utilize the functions above to keep them safe from hackers, keep data integrity and print out data usefully to a page.
Learn WordPress customization throughly with an online course at Udemy
If you are having difficulty understanding this tutorial and then I suggest you start from scratch with WordPress in general. The best way to learn is with a better all around general understanding of WordPress. Check out some of the courses on Udemy related to WordPress. They cover developer level courses and more non-dev CMS editor type tutorials as well.