<form id="tellastory" method="post" action="">
<label for="fullname">Full Name </label>
<input id="fullname" name="fullname" type="text" maxlength="255" value=""/>
<label for="title">Title </label>
<input id="title" name="title" type="text" maxlength="255" value=""/>
<label for="title">Message </label>
<textarea id="editor" name="editor" rows="20" cols="50"></textarea>
<input type="hidden" name="form_id" value="123456" />
<input id="saveForm" type="submit" name="submit" value="submit" />
</form>
<?php
$storyteller_user_id = "3"; //your guest user id here
//$stories_category = "3"; //your stories category id here
$key = "storyteller";
if ($_POST['form_id']=="123456") {
$my_post = array();
$my_post['post_title'] =$_POST['title'];
$my_post['post_content'] = $_POST['editor'];
$my_post['post_status'] = 'publish';
$my_post['post_author'] = $storyteller_user_id;
$my_post['post_category'] = array($stories_category);
$post_Num = wp_insert_post( $my_post );
add_post_meta($post_Num, $key, $_POST['fullname']);
}
?>
Leave a Reply
You must be logged in to post a comment.
Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.)
Codex article on Data Validation is a good starter. I believe esc_html() is the most used method for output.
There also seems to be a newcomer to WP escaping family in WordPress 3.1 – esc_textarea().
WordPress is trying to make your life easier as always – so be sure to check for existing context-specific functions like sanitize_title() or sanitize_user().
I recommend you do some source-diving and go thru functions in wp-includes/formatting.php to learn more about various methods and how they are constructed.
There has been a similar discussion on wp-hackers recently – definitely worth reading:
WP-HACKERS: Saving input from untrusted users. I will dare to quote Andrew Nacin’s input on this one:
Still want more? ๐
The Code Cave: WordPress Security รขยย a plugin done right
Smashing Magazine: Keeping Web Users Safe By Sanitizing Input Data
Have a nice and secure day.