Correct processing of `$_POST`, following WordPress Coding Standards

Background

I'm building a project that according to the specifications need to follow the WordPress Coding Standards. I am using phpcs to scan my code.

If I try to pass $_POST-data into a function without sanitizing it, I will get an error.

What I do before my code:

  • Verify that this is actually a POST request by checking that $_POST is set.
  • Verify that we have a value by checking if $_POST['faq_highlighted'] is set.
  • Verify the nonce field using wp_verify_nonce to make sure that the request is from a valid source.

The code

I noticed that depending on how i pass the posted value, the the error will behave differently, or disappear, even though there is no change to the functionality of the code.

Version 1

In this version, I check if $_POST['faq_highlighted'] is set. If it is, I update_post_meta against the meta key faq_highlighted with the value of $_POST['faq_highlighted'].

// Version 1.
if ( isset( $_POST['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $_POST['faq_highlighted'] ); // Error on this line.
}

This rightfully gives me the following error on row 3:

$_POST data not unslashed before sanitization. Use wp_unslash() or similar. Detected usage of a non-sanitized input variable: $_POST['faq_highlighted']

Version 2

In this version, without any unslashing, escaping or sanitazion, I pass the value of $_POST['faq_highlighted'] into a variable called $value_of_post_faq_highlighted. And I get the same error, but on that line.

This makes sense, as it's the use of a $_POST variable that is not unslashed that is triggering the error.

// Version 2.
$value_of_post_faq_highlighted = $_POST['faq_highlighted']; // Error on this line.
if ( isset( $post_faq_highlighted ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $post_faq_highlighted );
}
Version 3

This is where it gets strange. I'm now passing the whole $_POST into a variable called $value_of_post. There is still no unslashing, escaping or sanitazion, but phpcs does not give me any warnings.

// Version 3 - No error!
$value_of_post = $_POST;
if ( isset( $value_of_post['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', $value_of_post['faq_highlighted'] );
}

The question

As all the above mentioned blocks of code doing the exact same thing, and they all fail except for version 3, that I think should fail, what would be the correct way of doing this?

My try on doing it correct.

Version 4 - My suggestion

This is what I have come to use. I first wp_unslash and then sanitize_text_field, and I get no errors, which makes sense, as this is the only version that resolves the two errors from the first version.

// Version 4.
if ( isset( $_POST['faq_highlighted'] ) ) {
    update_post_meta( $post_id, 'faq_highlighted', sanitize_text_field( wp_unslash( $_POST['faq_highlighted'] ) ) );
}

The reason I'm asking this question, is that version 3 passed, just like version 4, I can see why version 3 is not correct, and i think that version 4 is the best way to do it, but I'm not sure.

Topic coding-standards save-post post-meta sanitization Wordpress

Category Web

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.