3.5 Adding Proper Field Sanitization

Let's complete our theme-options page by writing the sanitize function. And this is where the sanitize field from our arrays will be handy. We're gonna use it to determine what kind of sanitization is required for that particular field. So we're gonna get started by taking a look at our initialization function here. We'll see that the function we need for sounditization is called ap_options_validate. So, we're gonna copy that and we're gonna write it right here, functions ap_options_validate. And actually, this receives an input parameter. These are the values that are transmitted from the fork. So we'll need to take this, run them through scientization functions and then return what's left. Now, let's start by defining a blank array for the output. This would be called Output. Next, we are gonna parse through each of the field that are transmitted into input and we're gonna find what kind of salinization they are require for each input has simply say key value will grab the sanitize option for this field. So before we move on let me actually show you how input looks like. So if I do a print r of the input the moment we save this, yeah, this is how it's gonna look like. So we're gonna go through each one of these, we're gonna grab its ID and then we're gonna cross-reference that ID in our multi-dimensional array. And we're gonna get the sanitized value, and based on that, we'll apply or don't apply Validation. I'll define a variable called field sanitize that's gonna be equal to AP gets field sanitize key. Now, AP get field sanitize is a function that we have to write let's do that right now. This receives a key as a parameter and then we're gonna declare ap fields as global so we have access to each one anywhere. And then we're gonna return ap fields, ap id ib and we'll grab the sanitize option. Now, in here, depending on the value of field sanitize, we're going to execute different functions. So, we're going to use a switch again. The criteria will be field sanitize. And, the first one case is, or the first value, is default. And, the default, We're gonna do two things. We're gonna strip tags, and then we're gonna do strip slashes. This is some basic generic validation, or salinization actually. So we're gonna say, output key Would be equal to strip_tags, stripslashes, input key and then break. Now, if we take a look back to our array the defaults sanitize option, let's see where is it applied. It's applied to our custom CSS for example. And that's pretty much it. The next one is full. So we're gonna say case full and I called it full, you can call it whatever you want. Basically, this should have pretty much every salinization possible, so again we're gonna say output key equals to the same function or the same functions as we used here. But we're gonna add an extra one called esc_url_raw. And this will remove some extra bits from that string. Next we have Google Analytics. Now if we take a look at the field description here this only accepts tracking ID in this format and here's an example. Now, I choose to do this version instead of accepting the whole script from Google because the whole script can be later written in code directly in your page. The only thing that separates Google Analytics scripts is this tracking ID. So really this is the only thing that we want. But we do have to create a validation to make sure that the user enters only in this format and then actually indent these. We're going to say case. This is called Google Analytics and the code looks something like this and then break. Basically, we're using our regular expressions to check the input key against this pattern. If it matches the output key gets the input key, which means the input key was correct, otherwise, it gets blank. And finally, if we did not set a value for the sanitize field, then we're gonna say default output key is gonna be equals to input key which basically means that we're not making good image change. And then finally break. And after all this is done, we simply return output. All right, so let's give it a try. Let's start with this google analytic layer. If I do a regular string like this. Save changes. It actually gives me an error here. Undefined variable, line 386. Okay, so let's see. 386. Maybe I forgot something here. Let's see. Ap field not Id. I meant key right here, sorry. Okay. Let's try that again. Let's see. I enter the string. Save. And it doesn't get saved. But if answer this one, which is correct by the way. I hit Save, it saves. I add an s here, for an incorrect string, it doesn't save it. So the sanitization here works just fine. Let's see, some custom CSS. And see body [color:red]. And now we can save that. That's fine but if we want to get cute here and write some JavaScript functions. That's not gonna work, right? And the same really goes for all of the other fields. And with this, we now have a functional theme options page. This was the last lesson of this course. Please join me in the next video for the conclusion.