Wordpress sanitize data before saving with update_post_meta in WordPress

I am trying to create post options for my new WordPress template, but I don’t know how I can sanitize or validate my custom post meta data before saving:

$data = $_POST['enablog_post_options'];

// Update the meta fields in the database.
update_post_meta( $post_id, 'enablog_post_options',$data );

All options (YouTube URL, text, checkbox and radio buttons) are saved with my unique meta key enablog_post_options.

Update:

sanitize_text_field() corrupted all my code (all checkboxes are checked when I save the post), IMHO I need more than simply sanitize_text_field(), because $_POST['enablog_post_options'] has checkboxes, text fields and more.

Post Views: 0

3 comments

First. Assuming the $_POST['enablog_post_options'] is an array it should be sanitized as an array, iterating each one element in a loop. Not as a string, all elements at once.

So look up into your enablog_post_options array and decide a data-type-dependent techinque of sanitizaion for each element. WP Codex can help starting with it.

Now. As you understand what data types you are really going to sanitize, I suspect it is worth mentioning the update_post_meta() built-in sanitization actions & custom filters you can hook to the function.

So, anyone can look up the code of the update_metadata() function that does the heavy lifting for update_post_meta() here in the Core Metadata API source code.

But meanwhile, it sanitizes:

meta key with sanitize_key() and wp_unslash();
meta value with wp_unslash() and sanitize_meta() (more explanation on this one follows).
database save query with wpdb::prepare() called from update_metadata()->wpdb::update();

Sanitize with sanitize_meta().

The convenient way to additionally sanitize the [custom] post meta is via sanitize_meta(). The update_metadata() already hooks the potentially existing custom sanitization filter you have to create into the process of meta field sanitization. This is done via sanitize_meta().

It is called from update_metadata() like this with all your post meta parameters:

$meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );

So you can just make a custom sanitization filter to work with your post meta like this (the example from WP Codex sanitize_meta() description, the link above):

// --- sanitize_meta() call is commented out because it is called from update_metadata()
// $clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );
function sanitize_birth_year_meta( $year ) {
    $now = date( 'Y' );
    $then = $now - 115; // No users older than 115.
    if ( $then > $year || $year > $now ) {
        wp_die( 'Invalid entry, go back and try again.' );
    }
    return $year;
}
add_filter( 'sanitize_user_meta_birth-year', 'sanitize_birth_year_meta' );

Continuing with some imagnary code, in sanitize_birth_year_meta() instead of $year you will get your $data content to get sanitized when the the filter is called.

WordPress standards recommend to use wp_unslash() for every global variable that are ($_POST ,$_GET and etc).. after that use any sanitize function according to your need.

$data = sanitize_text_field( wp_unslash( $_POST['enablog_post_options'] ) );

// Update the meta fields in the database.
update_post_meta( $post_id, 'enablog_post_options',$data );

Use this to sanitize your data:

$data = sanitize_text_field( $_POST['enablog_post_options'] );

// Update the meta fields in the database.
update_post_meta( $post_id, 'enablog_post_options',$data );

Have a look at the Codex on Validating Sanitizing and Escaping User Data

Comments are closed.

WordPress sanitize data before saving with update_post_meta

3 comments

Social Network

Related posts

3 comments

Social Network