PHP Code Sniffer - WordPress VIP Coding Standards

I'm trying to fix up my code to meet the WordPress VIP Coding Standards. I'm getting a couple of issues that I'd like to see go away, but i'm not sure what the best strategy is.

The first issue is when i'm verifying a nonce while saving metabox data:

$nonce = isset( $_POST['revv_meta_box_nonce'] ) ? $_POST['revv_meta_box_nonce'] : '';

The error i'm getting here is 'Processing data without nonce verification'. Which is pretty silly since i'm just storing the nonce in a variable, which I am then verifying on the next line.

The second issue is when i'm storing the data:

$foo = isset($_POST['foo']) ? sanitize_text_field( $_POST['foo'] ) : '';
update_post_meta( $post_id, '_foo', $foo );

On the first line there, the sniffer is complaining that i'm not running wp_unslash on the data before sanitizing it. But the data is going directly into update_post_meta on the next line, which expects that data to not be unslashed.

Any ideas on the best strategy for getting rid of these error messages? Thanks!

Topic coding-standards security Wordpress

Category Web

1
answered at

You can use filter_input to sanitize your $_POST array.

$nonce = filter_input( INPUT_POST, 'revv_meta_box_nonce', FILTER_SANITIZE_STRING )

use empty() to check $nonce has a value or not.

You can use the same for second issue

$foo = filter_input( INPUT_POST, 'foo', FILTER_SANITIZE_STRING )

change 3rd parameter based on your expected data in $_POST['foo']. check this doc for available filters.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.