sanitize_post()WP 2.3.0

Sanitize every post field.

If the context is 'raw', then the post object or array will get minimal sanitization of the integer fields.

1 time — 0.000089 sec (very fast) | 50000 times — 3.16 sec (fast)

No Hooks.

Return

Object|WP_Post|Array. The now sanitized post object or array (will be the same type as $post).

Usage

sanitize_post( $post, $context );
$post(object|WP_Post|array) (required)
The post object or array
$context(string)
How to sanitize post fields. Accepts 'raw', 'edit', 'db', 'display', 'attribute', or 'js'.
Default: 'display'

Examples

0

#1 Data Cleaning Example

Suppose we get these posts in a $_POST query and we need to clean them up before displaying each of them on the screen. This can be done individually, but it's much handy to run the data through this function, like this:

$post_data = $_POST['post_data'];
$post_data = sanitize_post( $post_data );

Or for use in a SQL query:

$post_data = sanitize_post( $post_data, 'db' ); 
// NOTE: result is not protected against sql injections
0

#2 Cleaning before adding to the database

Example from function wp_insert_post(), in the example I removed a lot of code to show only the essence of cleaning:

$postarr = $_POST['post_data'];

// delete data about the previous cleanup
unset( $postarr[ 'filter' ] );

//clear
$postarr = sanitize_post($postarr, 'db');

// collect $data from parameters $postarr .........

// Remove slashes, $wpdb->insert them
$data = wp_unslash( $data );

//insert
$wpdb->insert( $wpdb->posts, $data );
0

#3 How the data is cleaned:

// let $_POST['post_data'] have the following data:

$post_data = array(
	'ID'             => '6129',
	'post_author'    => '1',
	'post_date'      => '2015-09-03 01:36:12',
	'post_content'   => 'Content " quote. <br> <foo>foo</foo> <script>something</script> ',
	'post_title'     => 'wp_get_post_revision',
	'post_status'    => 'publish',
	'comment_status' => 'open',
	'post_name'      => 'wp_get_post_revision',
	'post_content_filtered' => '',
	'post_parent'    => '0',
	'menu_order'     => '0',
	'post_type'      => 'func',
	'comment_count'  => '0'
);

// output
foreach( $post_data as $k => $v ){
	echo "$k = (", gettype($v) ,") ". htmlspecialchars($v) ."\n";
}

/* We get:
ID = (string) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (string) 0
menu_order = (string) 0
post_type = (string) func
comment_count = (string) 0
*/

Now let's see how the data looks after cleaning, paying attention to the types:

$post_data = sanitize_post( $post_data, 'raw' ); // raw ----------------

/*
ID = (integer) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (integer) 0
menu_order = (integer) 0
post_type = (string) func
comment_count = (string) 0
filter = (string) raw
*/

$post_data = sanitize_post( $post_data, 'edit' ); // edit ----------------

/*
ID = (string) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (string) 0
menu_order = (string) 0
post_type = (string) func
comment_count = (string) 0
filter = (string) edit
*/

$post_data = sanitize_post( $post_data, 'db' ); // db ----------------

/*
ID = (integer) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (integer) 0
menu_order = (integer) 0
post_type = (string) func
comment_count = (string) 0
filter = (string) db
*/

$post_data = sanitize_post( $post_data, 'display' ); // display ----------------

/*
ID = (integer) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content " quote. <br> <foo>foo</foo> <script>something</script>
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (integer) 0
menu_order = (integer) 0
post_type = (string) func
comment_count = (string) 0
filter = (string) display
*/

$post_data = sanitize_post( $post_data, 'attribute' ); // attribute ----------------

/*
ID = (string) 6129
post_author = (string) 1
post_date = (string) 2015-09-03 01:36:12
post_content = (string) Content &quot;quote. &lt;br&gt; &lt;foo&gt;foo&lt;/foo&gt; &lt;script&gt;something&lt;/script&gt;
post_title = (string) wp_get_post_revision
post_status = (string) publish
comment_status = (string) open
post_name = (string) wp_get_post_revision
post_content_filtered = (string)
post_parent = (string) 0
menu_order = (string) 0
post_type = (string) func
comment_count = (string) 0
filter = (string) js
*/

Notes

Changelog

Since 2.3.0 Introduced.

sanitize_post() code WP 6.4.3

function sanitize_post( $post, $context = 'display' ) {
	if ( is_object( $post ) ) {
		// Check if post already filtered for this context.
		if ( isset( $post->filter ) && $context == $post->filter ) {
			return $post;
		}
		if ( ! isset( $post->ID ) ) {
			$post->ID = 0;
		}
		foreach ( array_keys( get_object_vars( $post ) ) as $field ) {
			$post->$field = sanitize_post_field( $field, $post->$field, $post->ID, $context );
		}
		$post->filter = $context;
	} elseif ( is_array( $post ) ) {
		// Check if post already filtered for this context.
		if ( isset( $post['filter'] ) && $context == $post['filter'] ) {
			return $post;
		}
		if ( ! isset( $post['ID'] ) ) {
			$post['ID'] = 0;
		}
		foreach ( array_keys( $post ) as $field ) {
			$post[ $field ] = sanitize_post_field( $field, $post[ $field ], $post['ID'], $context );
		}
		$post['filter'] = $context;
	}
	return $post;
}