My Professional Profile

I am Johnson Augustine Sr.Software Engineer and System Architect. I have 10 Yrs of hands on expertise in MVC 5 , Angular 5 , C# MVC Razor, WPF MVVM , Android , IOS Swift 3 , IOS11 MSSQL,MySQL Database,,PHP,C/C++/Visual C++/G++/QT++,Com,DirectX,Open CV,EMGU CV , embedded System Development , [Raspberry PI]. ,html,Javascript,Jquery,Ajax.CSS , Networking ,Cyber security, Ethical Hacking You can see my professional profile at Email :

Wednesday, 12 December 2012

How to validate form fields in word press ?

There are lot of functions available in word press to manage validation in input fields .

intval( $int ) or (int) $int

If it's supposed to be an integer, cast it as one.

absint( $int )
Ensures that the result is nonnegative.

Note that many types of XML documents (as opposed to HTML documents) understand only a few named character references: apos, amp, gt, lt, quot. When outputting text to such an XML document, be sure to filter any text containing illegal named entities through WordPress's ent2ncr( $text ) function.

HTML/XML Fragments

wp_kses( (string) $fragment, (array) $allowed_html, (array) $protocols = null )
KSES Strips Evil Scripts. All untrusted HTML (post text, comment text, etc.) should be run through wp_kses().
To avoid having to pass an array of allowed HTML tags, you can use wp_kses_post( (string) $fragment ) for tags that are allowed in posts/pages or wp_kses_data( (string) $fragment ) for the small list of tags allowed in comments.

wp_rel_nofollow( (string) $html )
Adds a "rel='nofollow'" attribute to any <a> link.
wp_kses_allowed_html( (string) $context )

Provides an array of allowed HTML tags for a give context.Allowed values are post | strip | data | entities or the name of a field filter such : as pre_user_description.
Text Nodes
esc_html( $text ) (since 2.8)
Encodes < > & " ' (less than, greater than, ampersand, double quote, single quote). Very similar to esc_attr.
esc_html__ (since 2.8)
Translates and encodes
esc_html_e (since 2.8)
Translates, encodes, and echoes
esc_textarea (since 3.1)

Encodes text for use inside a textarea element.
sanitize_text_field (since 2.9.0)
Sanitize a string from user input or from the db.
Attribute Nodes

esc_attr( $text ) (since 2.8)
Translates and encodes
Translates, encodes, and echoes

esc_js( $text ) (since 2.8)
esc_url( $url, (array) $protocols = null ) (since 2.8)
Always use esc_url when sanitizing URLs (in text nodes, attribute nodes or anywhere else). Rejects URLs that do not have one of the provided whitelisted protocols (defaulting to http, https, ftp, ftps, mailto, news, irc, gopher, nntp, feed, and telnet), eliminates invalid characters, and removes dangerous characters. Replaces clean_url() which was deprecated in 3.0.

This function encodes characters as HTML entities: use it when generating an (X)HTML or XML document. Encodes ampersands (&) and single quotes (') as numeric entity references (&#038, &#039).
esc_url_raw( $url, (array) $protocols = null ) (since 2.8)

For inserting an URL in the database. This function does not encode characters as HTML entities: use it when storing a URL or in other cases where you need the non-encoded URL. This functionality can be replicated in the old clean_url function by setting $context to db.

urlencode( $scalar )
Encodes for use in URL (as a query parameter, for example)
urlencode_deep( $array )
urlencodes all array elements.
$wpdb->insert( $table, (array) $data )
$data should be unescaped (the function will escape them for you). Keys are columns, Values are values.
$wpdb->update( $table, (array) $data, (array) $where )
$data should be unescaped. Keys are columns, Values are values.  $where should be unescaped. Multiple WHERE conditions are ANDed together.
  array( 'status' => $untrusted_status, 'title' => $untrusted_title ),
  array( 'id' => 123 )
$wpdb->prepare( $format, (scalar) $value1, (scalar) $value2, ... )
$format is a sprintf()  like format string. It only understands %s and %d, neither of which needs to be enclosed in quotation marks.
$wpdb->get_var( $wpdb->prepare(
  "SELECT something FROM table WHERE foo = %s and status = %d",
  $name, // an unescaped string (function will do the sanitation for you)
  $status // an untrusted integer (function will do the sanitation for you)
) );
esc_sql( $sql ) (since 2.8)
$wpdb->escape( $text )
Escapes a single string for use in a SQL query. Glorified addslashes().
$wpdb->escape_by_ref( &$text )
No return value.
like_escape( $string )
Sanitizes $string for use in a LIKE expression of a SQL query. Will still need to be SQL escaped (with one of the above functions).
validate_file( (string) $filename, (array) $allowed_files = "" )
Used to prevent directory traversal attacks, or to test a filename against a whitelist. Returns 0 if $filename represents a valid relative path. After validating, you must treat $filename as a relative path (i.e. you must prepend it with an absolute path), since something like /etc/hosts will validate with this function. Returns an integer greater than zero if the given path contains .., ./, or :, or is not in the $allowed_files whitelist. Be careful making boolean interpretations of the result, since false (0) indicates the filename has passed validation, whereas true (> 0) indicates failure.
HTTP Headers
Header splitting attacks are annoying since they are dependent on the HTTP client. WordPress has little need to include user generated content in HTTP headers, but when it does, WordPress typically uses whitelisting for most of its HTTP headers.

WordPress does use user generated content in HTTP Location headers, and provides sanitation for those.

wp_redirect($location, $status = 302)
A safe way to redirect to any URL. Ensures the resulting HTTP Location header is legitimate.
wp_safe_redirect($location, $status = 302)
Even safer. Only allows redirects to whitelisted domains.
Input Validation
Many of the functions above in #Output_Sanitation are useful for input validation. In addition, WordPress uses the following functions.

sanitize_title( $title )
Used in post slugs, for example
sanitize_user( $username, $strict = false )
Use $strict when creating a new user (though you should use the API for that).
balanceTags( $html ) or force_balance_tags( $html )
Tries to make sure HTML tags are balanced so that valid XML is output.
tag_escape( $html_tag_name )
Sanitizes an HTML tag name (does not escape anything, despite the name of the function).
sanitize_html_class( $class, $fallback )
Santizes a html classname to ensure it only contains valid characters. Strips the string down to A-Z,a-z,0-9,'-' if this results in an empty string then it will return the alternative value supplied.
is_email( $email_address )
returns boolean false if invalid, or $email_address if valid
array_map( 'absint', $array )
Ensures all elements are nonnegative integers. Replace callback with whatever is appropriate for your data.

Data is taken from official word press website .

No comments:

Post a Comment

Note: only a member of this blog may post a comment.