URL query parameters really come in handy. For example, in eForm we use data from query parameters to pre-populate/prefil form elements.
But what is the most effective, foolproof way to get the data? Is a simple $_REQUEST[ $key ] enough? Of course not. The reasons being:
- WordPress adds slashes to the $_REQUEST array before-hand. So even if magic quote is turned off, you will get slashes.
- The raw data can expose to cross site vulnerability like XSS.
So I put together a really simple function to properly get values from the URL parameters. You can use it whereever you like.
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 | <?php/** * Gets the request parameter. * * @param string $key The query parameter * @param string $default The default value to return if not found * * @return string The request parameter. */function get_request_parameter( $key, $default = '' ) { // If not request set if ( ! isset( $_REQUEST[ $key ] ) || empty( $_REQUEST[ $key ] ) ) { return $default; } // Set so process it return strip_tags( (string) wp_unslash( $_REQUEST[ $key ] ) );} |
Here three things are happening.
- First we check if the request key is present or not. If not, then just return a default value.
- If it is set, then we first remove slashes by doing
wp_unslash. Read here why it is better thanstripslashes_deep. - Then we sanitize the value by doing a simple
strip_tags. If you expect rich text from parameter, then run it throughwp_ksesor similar functions.
