Part I: Data Validation and Sanitization in WordPress

Data validation and sanitization comes into action whenever users are allowed to enter data either via forms in Custom Meta Box, Theme Options or any other ways.  Although our code seems to work fine without the implementation of data validation and sanitization but it is important to validate the code if you want your data’s to be secured. Data’s without validation are vulnerable to hackers and they can exploit it in different ways.

Why data validation and sanitization?

  • Hackers can inject various script including XSS (Cross-Site Scripting) if not properly validated
  • Can break the forms at output
  • Spread malware

Here is an example that shows how a simple input field can be a potential threat.

//Retrieving value from $_Post variable
$username = $_POST['username']
<label> Name </label>
<input type="text" name="username" value="<?php echo $username; ?>" />


The above code is a simple input field for entering user’s name. There is nothing wrong with above code if user enters a name George but what happens when user enters following values in input field:
case a: <George>
case b:<script>alert(‘XSS’);</script>

In case a: the output form will break in browser due to < >(less than, greater than).

In case b: user seems to inject script which may lead unauthorized user gain privileges to sensitive information and pages.

Difference between Data Validation and Sanitization

Data Validation: The purpose of data validation is to make sure that we receive what we expect to receive. If the data is valid we accept it if not we reject it. Before saving data we validate it.

Sanitization: In Contrast to data validation, sanitization don’t reject the whole data but strips evil tags and encodes the tags before echoing it to the browsers. Before showing to user’s browser we sanitize data.

But in some cases we need to both validate and sanitize the input data.

Whether to Validate or sanitize input?

Well it depends on condition. For example there is an input field where user has to enter his age. We can validate the data in this case and accept it if its a positive integer using absint( $int ) and reject if data is not a positive integer and ask user to re-enter the age. But in case of text field where user enter a lengthy text, validating and ignoring the whole text and asking user to rewrite the whole text just because user uses some HTML tags doesn’t sound as a good approach. In such cases sanitizing the text and stripping the tags seems to be better option.

form data validation

Luckily, WordPress has a bunch of functions that can be used to validate and sanitize any untrusted data. One can of course use PHP functions too but it is always a better idea to use WordPress functions if available.
Note: Part 2: of this article will be published next week. I shall be covering on detail what WordPress functions are available for output sanitization and input validation and how to use them.
Part II: Data Validation and Sanitization in WordPress

Print

Author

Rabin
Rabin

I am WordPress Developer and PHP Programmer, currently working in Catch Internet . Although I completed my Bachelor's Degree in Electronics Engineering, I have great passion for Web and Web Applications. In my Leisure time I love watching movies, listening music and hanging out with friends.

Related Article

Registering Sidebar in WordPress
20 lists to power up your WordPress with wp-config.php
Add Theme Support | Digging in WordPress Function

One Comment

Leave a Comment

Make sure you enter all the information. Please also rate the article as it will help us decide future content and posts. Comments are moderated - and is in use. Please no link dropping, no keywords or domains as names; do not spam, and do not advertise!

Name
Email
Comment