The correct way to get URL parameter values in WordPress

URL query parameters really come in handy. For example, in eForm we use data from query parameters to pre-populate/prefil form elements.

But what is the most effective, foolproof way to get the data? Is a simple $_REQUEST[ $key ] enough? Of course not. The reasons being:

  • WordPress adds slashes to the $_REQUEST array before-hand. So even if magic quote is turned off, you will get slashes.
  • The raw data can expose to cross site vulnerability like XSS.

So I put together a really simple function to properly get values from the URL parameters. You can use it whereever you like.

01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
<?php
/**
 * Gets the request parameter.
 *
 * @param      string  $key      The query parameter
 * @param      string  $default  The default value to return if not found
 *
 * @return     string  The request parameter.
 */
function get_request_parameter( $key, $default = '' ) {
    // If not request set
    if ( ! isset( $_REQUEST[ $key ] ) || empty( $_REQUEST[ $key ] ) ) {
        return $default;
    }
 
    // Set so process it
    return strip_tags( (string) wp_unslash( $_REQUEST[ $key ] ) );
}

Here three things are happening.

  • First we check if the request key is present or not. If not, then just return a default value.
  • If it is set, then we first remove slashes by doing wp_unslash. Read here why it is better than stripslashes_deep.
  • Then we sanitize the value by doing a simple strip_tags. If you expect rich text from parameter, then run it through wp_kses or similar functions.