WordPress: update_option, don’t update empty options?

1 Views

How would I go about not letting empty data into wordpress? 

<?php 
foreach($_POST['eirepanel_inline_ads_options_name'] as  $post_eirepanel_inline_ads_options_name):
if(empty($post_eirepanel_inline_ads_options_name)): 
    echo 'empty';
else: 
    update_option('eirepanel_inline_ads_options', $_POST);
    $eirepanel_inline_ads_options = get_option('eirepanel_inline_ads_options');
endif; 
endforeach;
?>
Post Views: 1

Related posts

Leave a Reply

2 comments

  1. More importantly, you should not let *untrusted, unsanitized $_POST data* into WordPress.

    But I think the issue is that you’re updating the option with the entire $_POST data, instead of the appropriate array key:

    update_option('eirepanel_inline_ads_options', $_POST);

    Should probably be something like:

    update_option('eirepanel_inline_ads_options', $_POST['eirepanel_inline_ads_options_name']);

    Are your Plugin options discrete (one DB entry per option), or an options array?

    EDIT

    Since you’re using an options array, the correct approach would be:

    1. Define an array to hold the $_POST data ( $input = array() )
    2. Define an array to get the current settings from the DB ( $valid_input = array() )
    3. Sanitize the $_POST data
    4. Update the $valid_data array with the sanitized $input array
    5. Pass the updated $valid_data back to the DB

    e.g.

    $input = ( isset( $_POST ) ? $_POST : false );
$valid_input = get_option( 'eirepanel_inline_ads_options' );

foreach ( $input as $key ) {
   // sanitize data here
}

$valid_input = array_merge( $valid_input, $input );

update_option( 'eirepanel_inline_ads_options', $valid_input );

    Just quick and dirty, but should give you an idea.

    Also: using the Settings API would be especially helpful here.

  2. Following on from your response to @Chip’s suggestions, I’d advise you name your inputs like so;

    <input type="text" name="eire[option_key_name]" value="hello world" />
<input type="text" name="eire[option_key_another]" />
<input type="text" name="eire[nasty_key_possibility]" />

    Then in your code;

    $options = shortcode_atts( array(
    'option_key_name' => 'default value',
    'option_key_another' => 'foobar'
), ( array ) $_POST['eire'] );

    $options will now only contain the explicit keys passed to shortcode_atts(), with the data from $_POST overriding the defaults.

    Array (
    option_key_name => hello world,
    option_key_another' => foobar
)

    You’ll see I’ve use input array names, so as to namespace your $_POST data (as opposed to namespacing every option input name, then having to loop over them and remove it before saving).

    Note: This only strips out keys we don’t want. You’ll probably want to go further and sanitize the individual values, dependent on their data type. If they’re all the same, you could map a callback to the array and have done with it.

    For example, it they’re all plain text fields;

    $options = array_map( 'wp_strip_all_tags', $options );