云策 WordPress 开发者社区

通用API文档

数据清理

查看官方原文 ↗
💡 云策文档标注

概述

本文档介绍了 WordPress 中数据清理的重要性,用于保护系统免受不可信数据(如用户输入、第三方来源或数据库)的影响。它强调了在无法进行更具体的验证时,清理是首选的安全措施,并提供了相关函数示例。

关键要点

  • 不可信数据来源广泛,包括用户、第三方网站和数据库,使用前必须检查。
  • 清理输入是安全化、清洁化或过滤输入数据的过程,当验证不可行时,清理是次优选择。
  • WordPress 提供了多种清理函数,如 sanitize_text_field(),用于处理不同类型的数据。

代码示例

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

注意事项

  • sanitize_text_field() 函数会检查无效 UTF-8、转换小于号、去除标签、移除换行符和多余空格,并剥离八位字节。
  • 其他清理函数包括 sanitize_email()、sanitize_file_name()、sanitize_url() 等,适用于不同场景。
📄 原文内容

Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

Remember: Even admins are users, and users will enter incorrect data, either on purpose or accidentally. It’s your job to protect them from themselves.

Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.

Example

Let’s say we have an input field named title:

<input id="title" type="text" name="title">

We can’t use Validation here because the text field is too general: it can be anything at all. So we sanitize the input data with the sanitize_text_field() function:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Behind the scenes, sanitize_text_field() does the following:

  1. Checks for invalid UTF-8
  2. Converts single less-than characters (<) to entity
  3. Strips all tags
  4. Removes line breaks, tabs and extra white space
  5. Strips octets

Sanitization functions

There are many functions that will help you sanitize your data.

  • <a href="https://developer.wordpress.org/reference/functions/sanitize_email/" target="_blank" rel="noreferrer noopener">sanitize_email()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_file_name/" target="_blank" rel="noreferrer noopener">sanitize_file_name()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_hex_color/" target="_blank" rel="noreferrer noopener">sanitize_hex_color()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_hex_color_no_hash/" target="_blank" rel="noreferrer noopener">sanitize_hex_color_no_hash()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_html_class/" target="_blank" rel="noreferrer noopener">sanitize_html_class()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_key/" target="_blank" rel="noreferrer noopener">sanitize_key()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_meta/" target="_blank" rel="noreferrer noopener">sanitize_meta()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_mime_type/" target="_blank" rel="noreferrer noopener">sanitize_mime_type()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_option/" target="_blank" rel="noreferrer noopener">sanitize_option()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_sql_orderby/" target="_blank" rel="noreferrer noopener">sanitize_sql_orderby()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_term/" target="_blank" rel="noreferrer noopener">sanitize_term()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_term_field/" data-type="URL" data-id="https://developer.wordpress.org/reference/functions/sanitize_term_field/" target="_blank" rel="noreferrer noopener">sanitize_term_field()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_text_field/" target="_blank" rel="noreferrer noopener">sanitize_text_field()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_textarea_field/" target="_blank" rel="noreferrer noopener">sanitize_textarea_field()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_title/" data-type="URL" data-id="https://developer.wordpress.org/reference/functions/sanitize_title/" target="_blank" rel="noreferrer noopener">sanitize_title()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_title_for_query/" target="_blank" rel="noreferrer noopener">sanitize_title_for_query()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_title_with_dashes/" target="_blank" rel="noreferrer noopener">sanitize_title_with_dashes()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_user/" target="_blank" rel="noreferrer noopener">sanitize_user()</a>
  • <a href="https://developer.wordpress.org/reference/functions/sanitize_url/" target="_blank" rel="noreferrer noopener">sanitize_url()</a>
  • <a href="https://developer.wordpress.org/reference/functions/wp_kses/" target="_blank" rel="noreferrer noopener">wp_kses()</a>
  • <a href="https://developer.wordpress.org/reference/functions/wp_kses_post/" target="_blank" rel="noreferrer noopener">wp_kses_post()</a>