• Working on a site that allows users to register from the front end as “subscribers.”

    I’m adding a couple fields to the Registration Form so they can fill in first and last names in their profile without having to go to the backend. The code below is more or less from the Codex.

    My question: WP is using update_user_meta, which in turn calls update_metadata, so this is sanitized and safe to save to the database this way, correct? Just want to verify that I don’t need to do additional security in plugin code I’m using:

    // Add a new form element...
    add_action('register_form','hz_register_form');
    
    function hz_register_form (){
    	$first_name = ( isset( $_POST['first_name'] ) ) ? $_POST['first_name']: '';
    	?>
    	<p>
    		<label for="first_name"><?php _e( 'First Name' ) ?><br />
    		<input type="text" name="first_name" id="first_name" class="input" value="<?php echo esc_attr(stripslashes($first_name)); ?>" size="25" /></label>
    	</p>
    	<?php
    
    	$last_name = ( isset( $_POST['last_name'] ) ) ? $_POST['last_name']: '';
    	?>
    	<p>
    		<label for="last_name"><?php _e( 'Last Name' ) ?><br />
    		<input type="text" name="last_name" id="last_name" class="input" value="<?php echo esc_attr(stripslashes($last_name)); ?>" size="25" /></label>
    	</p>
    	<?php
    }
    
    // Add validation. In this case, we make sure first_name is required.
    add_filter('registration_errors', 'hz_registration_errors', 10, 3);
    
    function hz_registration_errors ($errors, $sanitized_user_login, $user_email) {
    
    	if ( empty( $_POST['first_name'] ) || empty( $_POST['last_name'] ) )
    		$errors->add( 'name_error', __( '<strong>ERROR</strong>: Please include your first and last names.' ) );
    
    	return $errors;
    }
    
    // Save extra registration user meta.
    
    add_action('user_register', 'hz_user_register');
    
    function hz_user_register ($user_id) {
    	if ( isset( $_POST['first_name'] ) )
    		update_user_meta($user_id, 'first_name', $_POST['first_name']);
    
    	if ( isset( $_POST['last_name'] ) )
    		update_user_meta($user_id, 'last_name', $_POST['last_name']);
    }
Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator bcworkz

    (@bcworkz)

    AFAIK, not true. update_metadata() calls sanitize_meta(), where you would think your data gets sanitized. Not so! All this function does is apply the filter “sanitize_{$meta_type}_meta_{$meta_key}”. If no appropriate filter is added, no sanitation happens. I expect filters are in place for pre-defined WP metadata, but clearly not so for custom metadata.

    It’s bad practice anyway to generically attempt to sanitize data where it’s specific nature is not known. You are in the best position to securely sanitize and validate your data because you know exactly what the data can be and are in the best position to reject anything that is not that.

    Thread Starter bob.passaro

    (@bobpassaro)

    Thanks for the info.

    Should tighten up the validation anyway, so just allowing letters, – and _, these being names.

    if ( ! preg_match("/^([a-zA-Z_-])+$/i", $_POST['first_name'] ) || ! preg_match("/^([a-zA-Z_-])+$/i", $_POST['last_name'] )  )
    	$errors->add( 'invalid_char_error', __( '<strong>ERROR</strong>: Try again; names can contain only letters, hyphens and underscores.' ) );

    The earlier code escapes any output back out to the form.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Adding fields to front-end registration form: sanitize?’ is closed to new replies.