When you include POST/GET/REQUEST calls in your plugin, it’s important to sanitize, validate, and escape them. The goal here is to prevent a user from accidentally sending trash data through the system, as well as protecting them from potential security issues.
SANITIZE: All instances where generated content is inserted into the database, or into a file, or being otherwise processed by WordPress, the data MUST be properly sanitized for security. By sanitizing your POST data when used to make action calls or URL redirects, you will lessen the possibility of XSS vulnerabilities. You should never have a raw data inserted into the database, even by a update function, and even with a prepare() call.
If you had text input field like
<input name="your-name" type="text" />
You could sanitize it using sanitize_text_field() function.
$name = sanitize_text_field( $_POST['your-name'] );
update_post_meta( $post->ID, 'your-name', $name );
Other functions used for sanitizing the data are.
VALIDATE: In addition to sanitization, you should validate all your calls. If a $_POST call should only be a number, ensure it’s an int() before you pass it through anything. Even if you’re sanitizing or using WordPress functions to ensure things are safe, we ask you please validate for sanity’s sake. Any time you are adding data to the database, it should be the right data.
For example if you want zipcode in integers then intval() function will be used to validate the input value.
$zipcode = intval( $_POST['zipcode'] );
ESCAPE: When you’re outputting data, make sure to escape it properly, so it can’t hijack admin screens. There are many esc_*() functions you can use to make sure you don’t show people the wrong data.
In all cases, using stripslashes or strip_tags is not enough. You need to use the most appropriate method associated with the type of content you’re processing. Check that a URL is a URL and don’t just be lazy and use sanitize_text please. The ultimate goal is that you should ensure that invalid and unsafe data is NEVER processed or displayed. Clean everything, check everything, escape everything, and never trust the users to always have input sane data.
Some commonly used helper function are as follows.
esc_html() used HTML element encloses a section of data we’re outputting.
<h2><?php echo esc_html( $title ); ?></h2>
esc_url() used for all URLs of HTML element.
<img src="<?php echo esc_url( $great_user_picture_url ); ?>" />
<a href="#" onclick="<?php echo esc_js( $custom_js ); ?>">Click me</a>
esc_attr() can be used on the data into an HTML element’s attribute.
<div id="<?php echo esc_attr( $element_id ); ?>"></div>
esc_textarea() encodes in textarea element.
<textarea><?php echo esc_textarea( $text ); ?></textarea>
Let’s actually develop a WordPress plugin
Now, lets develop your first WordPress plugin. As an example, I am going to create sample plugin which will be used to add custom text (it could be simple paragraph or heading etc.) anywhere in website. You can download this small sample plugin using the link at the bottom of the article.