0

I'm using the Settings API to create options for plugin. Do I need to validate the input values for the security (for example stripslashes etc)? (I could not find that part in most of the tutorials). Here's what I'm doing:

<form method="post" action="options.php">
    <?php
        settings_fields( 'sandbox_theme_display_options' );
        do_settings_sections( 'sandbox_theme_display_options' );
        submit_button();            
    ?>
</form> 

function sandbox_initialize_theme_options() {
    add_settings_section(
        'general_settings_section',         
        __( 'Display Options', 'sandbox' ),
        'sandbox_general_options_callback',
        'sandbox_theme_display_options'
    );

    add_settings_field( 
        'show_header',
        __( 'Header', 'sandbox' ),
        'sandbox_toggle_header_callback',
        'sandbox_theme_display_options',
        'general_settings_section',
        array(
            __( 'Activate this setting to display the header.', 'sandbox' ),
        )
    );

register_setting(
        'sandbox_theme_display_options',
        'sandbox_theme_display_options'
    );

}
add_action( 'admin_init', 'sandbox_initialize_theme_options' );
Improve this question

1 Answer 1

Reset to default
0

No, you don't need to validate/clean/escape because of security flaws in wordpress. Wordpress use prepared statements by default.

However, you can validate by yourself that the content is what you expecting. For example if you only want numbers you can use is_numeric() or is_float(). Or match the input value to an array of predefined strings.

Improve this answer

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.