sanitize_post()
Clears each field of the specified post object/array.
The function clears very easily, for example, when the cleaning type is db, escaping slashes are not added.
If the cleaning type is specified as raw, then the cleaning will be minimal: only some of the integer fields will be converted to int: ID, post_parent, menu_order, ancestors. Everything else will return as passed.
post_content is cleared of tags under the filters edit, display based on the available tags for the current user's rights.
When cleaning with the type db, the function does not escape characters.
Uses: sanitize_post_field()
1 time — 0.000089 sec (very fast) | 50000 times — 3.16 sec (fast)
No Hooks.
Returns
Object|WP_Post|Array. Cleansed object/array of data passed in $post.
Usage
sanitize_post( $post, $context );
- $post(object/WP_Post/array) (required)
- Data of the post that needs to be cleaned.
- $context(string)
Type of data cleaning. Can be:
raw- for use in a string.edit- for further editing.db- for use in a query.display- for output on the screen.attribute- for use in an attribute.
Default: 'display'
Examples
#1 Data Cleaning Example
Suppose we get these posts in a $_POST query and we need to clean them up before displaying each of them on the screen. This can be done individually, but it's much handy to run the data through this function, like this:
$post_data = $_POST['post_data']; $post_data = sanitize_post( $post_data );
Or for use in a SQL query:
$post_data = sanitize_post( $post_data, 'db' ); // NOTE: result is not protected against sql injections
#2 Cleaning before adding to the database
Example from function wp_insert_post(), in the example I removed a lot of code to show only the essence of cleaning:
$postarr = $_POST['post_data']; // delete data about the previous cleanup unset( $postarr[ 'filter' ] ); //clear $postarr = sanitize_post($postarr, 'db'); // collect $data from parameters $postarr ......... // Remove slashes, $wpdb->insert them $data = wp_unslash( $data ); //insert $wpdb->insert( $wpdb->posts, $data );
#3 How the data is cleaned:
// let $_POST['post_data'] have the following data:
$post_data = array(
'ID' => '6129',
'post_author' => '1',
'post_date' => '2015-09-03 01:36:12',
'post_content' => 'Content " quote. <br> <foo>foo</foo> <script>something</script> ',
'post_title' => 'wp_get_post_revision',
'post_status' => 'publish',
'comment_status' => 'open',
'post_name' => 'wp_get_post_revision',
'post_content_filtered' => '',
'post_parent' => '0',
'menu_order' => '0',
'post_type' => 'func',
'comment_count' => '0'
);
// output
foreach( $post_data as $k => $v ){
echo "$k = (", gettype($v) ,") ". htmlspecialchars($v) ."\n";
}
/* We get:
ID = (string) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (string) 0
menu_order = (string) 0
post_type = (string) func
comment_count = (string) 0
*/
Now let's see how the data looks after cleaning, paying attention to the types:
$post_data = sanitize_post( $post_data, 'raw' ); // raw ---------------- /* ID = (integer) 6129 post_author = (string) 1 post_date = (string) 2015-09-03 01:36:12 post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script> post_title = (string) wp_get_post_revision post_status = (string) publish comment_status = (string) open post_name = (string) wp_get_post_revision post_content_filtered = (string) post_parent = (integer) 0 menu_order = (integer) 0 post_type = (string) func comment_count = (string) 0 filter = (string) raw */ $post_data = sanitize_post( $post_data, 'edit' ); // edit ---------------- /* ID = (string) 6129 post_author = (string) 1 post_date = (string) 2015-09-03 01:36:12 post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script> post_title = (string) wp_get_post_revision post_status = (string) publish comment_status = (string) open post_name = (string) wp_get_post_revision post_content_filtered = (string) post_parent = (string) 0 menu_order = (string) 0 post_type = (string) func comment_count = (string) 0 filter = (string) edit */ $post_data = sanitize_post( $post_data, 'db' ); // db ---------------- /* ID = (integer) 6129 post_author = (string) 1 post_date = (string) 2015-09-03 01:36:12 post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script> post_title = (string) wp_get_post_revision post_status = (string) publish comment_status = (string) open post_name = (string) wp_get_post_revision post_content_filtered = (string) post_parent = (integer) 0 menu_order = (integer) 0 post_type = (string) func comment_count = (string) 0 filter = (string) db */ $post_data = sanitize_post( $post_data, 'display' ); // display ---------------- /* ID = (integer) 6129 post_author = (string) 1 post_date = (string) 2015-09-03 01:36:12 post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script> post_title = (string) wp_get_post_revision post_status = (string) publish comment_status = (string) open post_name = (string) wp_get_post_revision post_content_filtered = (string) post_parent = (integer) 0 menu_order = (integer) 0 post_type = (string) func comment_count = (string) 0 filter = (string) display */ $post_data = sanitize_post( $post_data, 'attribute' ); // attribute ---------------- /* ID = (string) 6129 post_author = (string) 1 post_date = (string) 2015-09-03 01:36:12 post_content = (string) Content "quote. <br> <foo>foo</foo> <script>something</script> post_title = (string) wp_get_post_revision post_status = (string) publish comment_status = (string) open post_name = (string) wp_get_post_revision post_content_filtered = (string) post_parent = (string) 0 menu_order = (string) 0 post_type = (string) func comment_count = (string) 0 filter = (string) js */
Notes
Changelog
| Since 2.3.0 | Introduced. |