What is the best way to sanitize POST data?

Question

I am working on a WordPress plugin and need to sanitize the POST data within this function. Would sanitize_text_field() be the best way to go about it? Also what is the proper way to add it to the code below?

header( 'Content-Type: application/json' );

        global $wpdb;
$session_id = $_POST['session_id'];
        $procedure_name =  $wpdb->prefix . 'get_geojson_route';
        $gps_locations = $wpdb->get_results($wpdb->prepare(
            "CALL {$procedure_name}(%s);", 
            array(
                $session_id
            )
        ));

Sadly, the best way would be not to use Wordpress whatsoever. The other good way would be to start by defining what *sanitize* means to you. This snippet you posted is everything that's bad with Wordpress and practices it encourages.. you're accepting a function name from user input. That lets me stick any kind of crap in. It doesn't even matter if I break something, I can make your site error out and obtain info I'm not supposed to see. And there's the question of whether calling the procedure is the right tool for the job.. — N.B., Apr 05 '18 at 20:46

score 8 · Accepted Answer · answered Apr 06 '18 at 04:18

8

To sanatize post data wordpress give function :

$title = sanitize_text_field( $_POST['title'] );

Try this

answered Apr 06 '18 at 04:18

Rakhi Prajapati

880
1
12
24

1

This is the solution that I wound up going with. – stpetedesign Apr 15 '18 at 00:08
what about using `sanitize_post()`? https://developer.wordpress.org/reference/functions/sanitize_post/ – gillespieza Feb 21 '20 at 11:36
1

@gillespieza, `sanitize_post()` sanitizes the fields for a WP_Post object. – Marian Feb 19 '21 at 12:58
@stpetedesign, don't forget to vote up my answer if it helped you! Thanks. – Rakhi Prajapati May 12 '21 at 11:22

score 2 · Answer 2 · answered Apr 06 '18 at 08:05

2

In PHP you can do as:

// it prevents from XSS
$_GET   = filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING);
$_POST  = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);

This will sanitize your $_GET and $_POST arrays.

More details: PHP -Sanitize values of an array

If you want it in WordPress see this link:

https://code.tutsplus.com/articles/data-sanitization-and-validation-with-wordpress--wp-25536

answered Apr 06 '18 at 08:05

Gufran Hasan

8,910
7
38
51

This worked well for some of my needs, but when processing the contents of an ACF WYSIWYG editor, it stripped out a lot of the HTML markup. I didn't spend the time to figure out why—this is just a note in case anyone else runs up against this behavior. – Sarah Lewis Oct 29 '22 at 19:24

score 1 · Answer 3 · answered Apr 05 '18 at 21:35

1

Using $wpdb->prepare is doing the sanitizing for you

answered Apr 05 '18 at 21:35

Chris Flannagan

129
9

But you should have it in an array. Should just be $wpdb->prepare( "CALL {$procedure_name}(%s);", $session_id ); – Chris Flannagan Apr 05 '18 at 21:36
The [prepare() method](https://developer.wordpress.org/reference/classes/wpdb/prepare/) also accepts arrays. – cabrerahector Apr 05 '18 at 21:54

score 1 · Answer 4 · answered May 26 '22 at 20:23

1

If your PHP version is older than 8.1 then you can use

$form_data = filter_input_array( INPUT_POST, FILTER_SANITIZE_STRING );

Else you can use

$form_data = filter_input_array( INPUT_POST, FILTER_SANITIZE_FULL_SPECIAL_CHARS );

answered May 26 '22 at 20:23

Reza Khan

86
3

What is the best way to sanitize POST data?

4 Answers4