WordPress sanitize data before saving with update_post_meta

1 Views

I am trying to create post options for my new WordPress template, but I don’t know how I can sanitize or validate my custom post meta data before saving: 

$data = $_POST['enablog_post_options'];

// Update the meta fields in the database.
update_post_meta( $post_id, 'enablog_post_options',$data );

All options (YouTube URL, text, checkbox and radio buttons) are saved with my unique meta key enablog_post_options.

Read More

Update:

sanitize_text_field() corrupted all my code (all checkboxes are checked when I save the post), IMHO I need more than simply sanitize_text_field(), because $_POST['enablog_post_options'] has checkboxes, text fields and more.

Post Views: 1

Related posts

3 comments

  1. First. Assuming the $_POST['enablog_post_options'] is an array it should be sanitized as an array, iterating each one element in a loop. Not as a string, all elements at once.

    So look up into your enablog_post_options array and decide a data-type-dependent techinque of sanitizaion for each element. WP Codex can help starting with it.

    Now. As you understand what data types you are really going to sanitize, I suspect it is worth mentioning the update_post_meta() built-in sanitization actions & custom filters you can hook to the function.

    So, anyone can look up the code of the update_metadata() function that does the heavy lifting for update_post_meta() here in the Core Metadata API source code.

    But meanwhile, it sanitizes:

    • meta key with sanitize_key() and wp_unslash();
    • meta value with wp_unslash() and sanitize_meta() (more explanation on this one follows).
    • database save query with wpdb::prepare() called from update_metadata()->wpdb::update();

    Sanitize with sanitize_meta().

    The convenient way to additionally sanitize the [custom] post meta is via sanitize_meta(). The update_metadata() already hooks the potentially existing custom sanitization filter you have to create into the process of meta field sanitization. This is done via sanitize_meta().

    It is called from update_metadata() like this with all your post meta parameters:

    $meta_value = sanitize_meta( $meta_key, $meta_value, $meta_type );

    So you can just make a custom sanitization filter to work with your post meta like this (the example from WP Codex sanitize_meta() description, the link above):

    // --- sanitize_meta() call is commented out because it is called from update_metadata()
// $clean_value = sanitize_meta( 'birth-year', $user_input, 'user' );
function sanitize_birth_year_meta( $year ) {
    $now = date( 'Y' );
    $then = $now - 115; // No users older than 115.
    if ( $then > $year || $year > $now ) {
        wp_die( 'Invalid entry, go back and try again.' );
    }
    return $year;
}
add_filter( 'sanitize_user_meta_birth-year', 'sanitize_birth_year_meta' );

    Continuing with some imagnary code, in sanitize_birth_year_meta() instead of $year you will get your $data content to get sanitized when the the filter is called.

  2. WordPress standards recommend to use wp_unslash() for every global variable that are ($_POST ,$_GET and etc).. after that use any sanitize function according to your need. 

    $data = sanitize_text_field( wp_unslash( $_POST['enablog_post_options'] ) );

// Update the meta fields in the database.
update_post_meta( $post_id, 'enablog_post_options',$data );

Comments are closed.