Wordpress validating forms
While it is a bit slower than the other escaping functions, the difference is minimal and does not have as much of an impact as most slow queries or uncached functions would.
It’s important to note that most Word Press functions properly prepare the data for output, and you don’t need to escape again.
There are several variants of the main function, each featuring a different list of built-in defaults.
A popular example is wp_kses_post(), which allows all markup normally permitted in posts.
So instead of $variable do that would allow such tags.
↑ Top ↑ We know that validating, sanitizing and escaping can be a complex topic; we’ll add some specific case studies and frequently asked questions here as we think they might be helpful.
It’s a good practice to sanitize anything coming from user-land as soon as you begin to interact with it, treating it as potentially malicious right away. A: Even on large strings WP_KSES_* will not add a significant overhead to your pageload.
Escaping is often negligible compared to those items. Always late escaping whenever possible makes the code much more robust and future proof.
Zack Tollman wanted to know more about wp_kses functions, so he did a pretty thorough investigation about them here. He found that wp_kses functions can be 20-40x slower than esc_* functions on PHP 5.6, but the performance hit is much smaller when using HHVM. ↑ Top ↑ To recap: Follow the whitelist philosophy with data validation, and only allow the user to input data of your expected type. When you have a range of data that can be entered, make sure you sanitize it.
There is a distinction between how input and output are managed, and this document will walk you through that.
(If you’re interested in more thoughts on why Word VIP takes these practices so seriously, read The Importance of Escaping All The Things from June 2014.) ↑ Top ↑ Just like that, we’ve limited my user to five characters of input, but there’s no limitation on what they can input. If we’re saving to the database, there’s no way we want to give the user unrestricted write access. When processing the form, we’ll write code to check each field for its proper data type.