Validating Data | Common APIs Handbook | WordPress Developer Resources

  • Updated on: 2023-02-21
  • Read original article here
Validating Data | Common APIs Handbook | WordPress Developer Resources

Data validation is the process of analyzing the data against a predefined pattern (or patterns) with a definitive result: valid or invalid. Usually this applies to data coming from external sources such as user input and calls to web services via API.

Data validation should be performed as early as possible. That means validating the data before performing any actions.

There are at least three ways: built-in PHP functions, core WordPress functions, and custom functions you write.

Basic validation is doable using many built-in PHP functions, including these:

WordPress provides many useful functions that help validate different kinds of data. Here are several examples:

Check the WordPress code reference for more functions like these. Search for functions with names like these: , , and . Not all of these are validation functions, but many are helpful.

You can write your own PHP and JavaScript functions and include them in your plugin. When writing a validation function, you’ll want to name it like a question (examples: is_phone, is_available, is_us_zipcode).

The function should return a boolean, either true or false, depending on whether the data is valid or not. This will allow using the function as a condition.

Let’s say you have an U.S. zip code input field that a user submits.

The text field allows up to 10 characters of input with no limitations on the types of characters that can be used. Users could enter something valid like or something invalid (and evil) like . The attribute on our field is only enforced by the browser, so you still need to validate the length of the input on the server. If you don’t, an attacker could alter the maxlength value. By using validation we can ensure we’re accepting only valid zip codes. First you need to write a function to validate a U.S. zip codes: /**
* Validate a US zip code.
*
* @param string $zip_code RAW zip code to check.
*
* @return bool true if valid, false otherwise.
*/
function wporg_is_valid_us_zip_code( $zip_code )

// Scenario 2: more than 10 characters.
if ( 10 < strlen( trim( $zip_code ) ) )

// Scenario 3: incorrect format.
if ( ! preg_match( '/^d(-?d)?$/', $zip_code ) )

// Passed successfully.
return true;
} When processing the form, your code should check the field and perform the action based on the result: Say you’re going to query the database for some posts, and you want to give the user the ability to sort the query results. This example code checks an incoming sort key (stored in the “orderby” input parameter) for validity by comparing it against an array of allowed sort keys using the built-in PHP function in_array. This prevents the user from passing in malicious data and potentially compromising the website. Before checking the incoming sort key against the array, the key is passed into the built-in WordPress function sanitize_key. This function ensures, among other things, that the key is in lowercase (in_array performs a case-sensitive search). Passing “true” into the third parameter of in_array enables strict type checking, which tells the function to not only compare values but value types as well. This allows the code to be certain that the incoming sort key is a string and not some other data type. $allowed_keys = [ 'author', 'post_author', 'date', 'post_date' ];
$orderby = sanitize_key( $_POST['orderby'] );
if ( in_array( $orderby, $allowed_keys, true ) )

Images Powered by Shutterstock
Terms of Service