Do I need to sanitize $_POST['keyword'] before send to 's' parameter?

Anyone know how to sanitize the $_POST for wordpress?

$args = array(
   's' = esc_attr( $_POST['keyword'] ),
);

Topic sanitization Wordpress sql

Category Web

1
answered at

You Use Default PHP FILTER_SANITIZE_STRING filter removes tags and remove or encode special characters from a string.

Possible options and flags:

  • FILTER_FLAG_NO_ENCODE_QUOTES - Do not encode quotes
  • FILTER_FLAG_STRIP_LOW - Remove characters with ASCII value < 32
  • FILTER_FLAG_STRIP_HIGH - Remove characters with ASCII value > 127
  • FILTER_FLAG_ENCODE_LOW - Encode characters with ASCII value < 32
  • FILTER_FLAG_ENCODE_HIGH - Encode characters with ASCII value > 127
  • FILTER_FLAG_ENCODE_AMP - Encode the "&" character to &

Usage this :

$filtervar = filter_var($_POST['keyword'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
$args = array(
  's' => $filtervar
 );

Example :

<?php
$str = "<h1>Hello WorldÆØÅ!</h1>";
$newstr = filter_var($str, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
echo $newstr;
?>

Output: Hello World!

1
answered at

You can use below WordPress function to sanitize the value:

sanitize_text_field( $_POST['keyword'] );

You can also check more detail here: https://developer.wordpress.org/reference/functions/sanitize_text_field/

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.