php - How to sanitize any integer input field in wordpress?

admin管理员组

文章数量:1122846

I would like to sanitize an input field of type integer WordPress. Like this..

<input type="number" name="amount" />

Now, what should I do?

I would like to sanitize an input field of type integer WordPress. Like this..

<input type="number" name="amount" />

Now, what should I do?

• php
• plugin-development

Share Improve this question asked Aug 18, 2021 at 9:02 Tarikul IslamTarikul Islam 2155 bronze badges 4

• 1 Do you want to sanitize the input data in the frontend or backend, or both? What does this field do? did you make this form or does it come from a plugin? – Buttered_Toast Commented Aug 18, 2021 at 9:03
• I want to sanitize frontend (actually both) data. Lets say price field – Tarikul Islam Commented Aug 18, 2021 at 9:50
• 1 Well a price field presumably has more requirements than a simple number. You can sanitize a positive integer with absint(), but for other types of numbers would would use core PHP functions. A price probably also requires a certain number of decimal places an potentially other things, so you would need to write your own function. So either way, this would be unrelated to WordPres. – Jacob Peattie Commented Aug 18, 2021 at 10:03
• 1 I uploaded a plugin into the WordPress plugin store and they asked me to sanitize all the input fields. Well there is sanitize_text_field(). I understand that I need to use this function to sanitize the text input field. But what should I use a number type input field? – Tarikul Islam Commented Aug 18, 2021 at 13:42

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

It is odd that WordPress still does not provide a function to sanitize numbers. A common issue is that (int), etc. simply truncate the input and fail if the input contains separators. Forcing a type on input like 4,000 produces 4 not 4000, and separators are different depending on the locale.

There is NumberFormatter::parse(), which is quite strict:

$nf = new NumberFormatter('en_CA', NumberFormatter::DECIMAL);
var_dump($nf->parse('4 500,9', NumberFormatter::TYPE_INT64));
var_dump($nf->parse('4 5002,9', NumberFormatter::TYPE_INT64));

Output:

int(4500)
bool(false)

It also truncates numbers, and fails if input is not exactly the right format.

Alternatively, input can be parsed assuming anything that isn't an Arabic numeral (0-9), or the locale's decimal point, is irrelevant:

# get the expected decimal point character for the current locale
$radix = nl_langinfo(DECIMAL_POINT);
# fall back to "." if locale function failed, and escape it for use in PCRE
$radix = preg_quote($radix === false ? '.' : $radix, '/');
# scrub out anything that's not a digit or the decimal point
$parsed = preg_replace("/[^\d$radix]+/", '', $input);
# get number parts and tolerate repeated decimal points
$parsed = preg_split("/$radix+/", $parsed);
# either truncate any fraction...
$parsed_truncated = (int) $parsed[0];
# or round it
$parsed_rounded = (int) round($parsed[0] . '.' . ($parsed[1] ?? '0'), 0);

The rounded output will be 1010 from input like 10,0 9. 7. It doesn't handle negative numbers, but they could be detected by first searching the input for the presence of the character returned by nl_langinfo(NEGATIVE_SIGN).

本文标签： phpHow to sanitize any integer input field in wordpress