I have added a select box in the Post meta. Here is the code, and it works fine. My question is, do I need to sanitize the values before updating the post meta? If yes, how it should be done?
This is how I’m adding the meta field:
<?php $value = get_post_meta( $post->ID, 'my_options', true ); ?>
<select name="my_options">
<option value="option1" <?php selected( $value, 'option1'); ?>><?php _e('Option 1', 'textdomain'); ?></option>
<option value="option2" <?php selected( $value, 'option2'); ?>><?php _e('Option 2', 'textdomain'); ?></option>
</select>
and this is how I’m updating the value:
if ( isset( $_POST['my_options'] )){
update_post_meta( $post->ID, 'my_options', $_POST['my_options'] );
}
2 Answers
When accepting user data inputs, I think that data validation must be performed if possible, not only sanitization. For example, you could expect a number, a bool value, a text string (even when the input is a selectbox it can have a string value), etc. You can santize for that data types; then you can go further and validate the data against expected values: integer, float, true/false, emails, URLs, and so on.
Let’s go with your selectbox. It has two options with the values “option1” and “option2”, so both are strings and can be sanitized it with sanitize_text_field
:
if ( isset( $_POST['my_options'] )){
$value = sanitize_text_field( $_POST['my_options'] );
update_post_meta( $post->ID, 'my_options', $value );
}
But a user can change the value of the form select options easily from the frontend, so he/she can manipulate the form and send values different to “option1” or “option2” that you will store in the database. As you know exactly what the expected values are, you can do a data sanitization and data validation. For example:
if ( isset( $_POST['my_options'] )){
$valid_values = array(
'option1',
'option2',
);
$value = sanitize_text_field( $_POST['my_options'] );
if( in_array( $value, $valid_values ) ) {
update_post_meta( $post->ID, 'my_options', $value );
}
}
Or you can define a custom sanitization callback for “my_options” option and use sanitize_meta
:
if ( isset( $_POST['my_options'] ) ){
$value = sanitize_meta( 'my_options', $_POST['my_options'], 'post' )
update_post_meta( $post->ID, 'my_options', $value );
}
And define the santitization callback:
add_filter( 'sanitize_post_meta_my_options', 'sanitize_my_options_meta' );
function sanitize_my_options_meta( $value ) {
$value = sanitize_text_field( $value );
$valid_values = array(
'option1',
'option2',
);
if( ! in_array( $value, $valid_values ) ) {
wp_die( 'Invalid value, go back and try again.' );
}
return $value;
}