FREELessons: 13Length: 1.7 hours

Next lesson playing in 5 seconds

  • Overview
  • Transcript

2.4 Sanitizing Data

Sanitizing data is something you must always do when dealing with user input, for security reasons. Someone might input harmful PHP code that, when saved to the database, can do serious damage. They might also inject JavaScript code that can create big problems when rendered on the front-end. To avoid this, let’s see how we can sanitize our input.

2.4 Sanitizing Data

Sensitizing data is something you must always do when dealing with user input for security reasons. For example someone might input harmful code that when it save you the database it can cause some pretty serious damage or maybe some JavaScript code that can cause problems when it's outputted or rendered on the front page. Whatever the case, you must always be ready. So let's see how we can sanitize the input or the data from our single input. And it all starts here when we registered our setting. Here we have a call back function called AP options validate. So let's go ahead and create that function. Function ap options validate. And this one actually receives one parameter called input. So, how exactly does this work? Well, let's actually do a print_r of the inputs so you can see what's going on. Right? So now, if I hit save changes, we get this output. Array ap-test-field-1 hello, basically the same thing that we saw previously. This is the content of our setting currently. And this is what's been transmitted to us for validation. Now we have two options. If we don't want to validate we simply return the same values. But if we want to validate them we can take those values, apply different validation techniques on them and then return those. And this way, the values that are saved in the database are not the original ones, they're the ones that we modified. So let's see how we can do that. We'll start by creating an array called validated and in this array, I'm going to hand-code this and I'm going to say ap-test-field-1 = and I'm going to use a function called sanitize text field. And, sanitize text field will do the following. It's gonna take a string, and it's gonna check for invalid encoding, convert single bracket characters to entities, strip all tags, remove white line breaks, tabs, and all that stuff and strip optics. Basically if you're trying to input some harmful code, it's going to get rid of that. So you would do sanitize text field, and the string is going to be input of ap test field one. And then we'll simply say return validated, we need to return an array, that's important, right? We can not return a string or a number or anything like that. We receive an array, we must return an array, otherwise that option cannot be saved to the database. So, again what are we doing? We're calling sanitized text field and we're giving you the value of ap test field one. So, basically whatever we're inputting in this field, we're sanitizing that string. And we're putting it in the validated array under this key. And then we're simply returning the new array. Now if we type something in here. Disregard this warning. If we type hello again, and I hit save changes, it's gonna save hello. If I put a couple of spaces before hello. The function would get rid of those, if I put some tags in here, maybe you know script something like that. It is also going to get rid of those. So that is the most basic use of a validation function. That would really depends on you, how you want to validate. Maybe you have certain format for field information like a phone number, email address, right? There are functions for these and if there aren't you can write your own and that's not a problem. Or maybe you want to validate if that field doesn't have any scripts just like I did here where it doesn't have certain tags. You can do that, but this is a very basic example. All right, so now that the option is saved and the data base is sanitized, everything is good, how do you use it on your front end, right, because all we're doing here is to set options for use in the front end mostly. So, the way to use it in the front end is the following. We're gonna go to our index.php, and we're gonna do this. We're gonna define a variable. You can call it whatever you want, I'm gonna call it options equals to get option. And I remember we used this function before. And we're gonna pass in the name of the option which is AP_options. We can pass in our default value if you want but we don't want that. And, once you have this, you can simply use it like this. Echo, h1, options, and we need to grab the key that we used here, which is ap-test-field-1. Now, of course, you would name these keys. You would give them names that are relevant to what they are used for, logo for example. Color scheme, font, stuff like that. In my case, I just used ap-test-field-1 for clarity, right? So you would do this and then you would close the H1. And now, if you would open your front end. You're gonna see hello. If we're gonna change this to Tuts+ Tutorial, save the changes, refresh, and now it's Tuts+ Tutorial. And this is the most basic use. You get the option here, this is an array, remember yeah? And then you would use this array with a key to get the value that you want from the database. Now with this we finished building an extremely simple theme options page. I kept it this simple for a reason, I really wanted you to learn to basics of how to do it. Right? So it all starts with registering your setting, then registering your sections and your fields. All right? And then you need to display those fields and you need to validate the value of those fields when you save them or before you save them to the database. This is how it works basically. Now for a larger scale options page, of course you're going to have more fields, more sections, if you want you can create more settings. And you'll have much more complex validation. In the end, it all boils down to these basics. Now, in the next chapter, we're going to begin creating such a page, a more complex theme options page and we're going to have image uploads and a whole bunch of different field types. We'll do all that and we're going to start in the next lesson.

Back to the top