IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Correct processing of `$_POST`, following WordPress Coding Standards

    • IT Nursery
    • May 18, 2022
    • 0

    Background

    I’m building a project that according to the specifications need to follow the WordPress Coding Standards. I am using phpcs to scan my code.

    If I try to pass $_POST-data into a function without sanitizing it, I will get an error.

    What I do before my code:

    • Verify that this is actually a POST request by checking that $_POST is set.
    • Verify that we have a value by checking if $_POST['faq_highlighted'] is set.
    • Verify the nonce field using wp_verify_nonce to make sure that the request is from a valid source.

    The code

    I noticed that depending on how i pass the posted value, the the error will behave differently, or disappear, even though there is no change to the functionality of the code.

    Version 1

    In this version, I check if $_POST['faq_highlighted'] is set. If it is, I update_post_meta against the meta key faq_highlighted with the value of $_POST['faq_highlighted'].

    // Version 1.
if ( isset( $_POST['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $_POST['faq_highlighted'] ); // Error on this line.
}

    This rightfully gives me the following error on row 3:

    $_POST data not unslashed before sanitization. Use wp_unslash() or similar.
    Detected usage of a non-sanitized input variable: $_POST[‘faq_highlighted’]

    Version 2

    In this version, without any unslashing, escaping or sanitazion, I pass the value of $_POST['faq_highlighted'] into a variable called $value_of_post_faq_highlighted. And I get the same error, but on that line.

    This makes sense, as it’s the use of a $_POST variable that is not unslashed that is triggering the error.

    // Version 2.
$value_of_post_faq_highlighted = $_POST['faq_highlighted']; // Error on this line.
if ( isset( $post_faq_highlighted ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $post_faq_highlighted );
}
    Version 3

    This is where it gets strange. I’m now passing the whole $_POST into a variable called $value_of_post. There is still no unslashing, escaping or sanitazion, but phpcs does not give me any warnings.

    // Version 3 - No error!
$value_of_post = $_POST;
if ( isset( $value_of_post['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $value_of_post['faq_highlighted'] );
}

    The question

    As all the above mentioned blocks of code doing the exact same thing, and they all fail except for version 3, that I think should fail, what would be the correct way of doing this?

    My try on doing it correct.

    Version 4 – My suggestion

    This is what I have come to use. I first wp_unslash and then sanitize_text_field, and I get no errors, which makes sense, as this is the only version that resolves the two errors from the first version.

    // Version 4.
if ( isset( $_POST['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', sanitize_text_field( wp_unslash( $_POST['faq_highlighted'] ) ) );
}

    The reason I’m asking this question, is that version 3 passed, just like version 4, I can see why version 3 is not correct, and i think that version 4 is the best way to do it, but I’m not sure.

    0

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *