Learn how to validate your plugin settings. By ensuring that each setting is sanitized according to the expected type of data, you help to ensure a safe and secure plugin environment, and a more stable and consistent user experience.
- [Instructor] With our plugin settings in place and working properly, we're ready to complete the final callback function, which will be used to validate, or sanitize our plugin settings. Here in the settings callback file, we have added this placeholder function, which doesn't do anything at this point. At the end of this video, this function will contain all of the code necessary to validate each of our plugin settings. From the exercise files, we can grab the complete validation code and use it to replace the placeholder function. Now we can explore the code and see how it works.
First, we have the validation code for the custom_url option. Because this option is designed to contain a url, we can use the esc_url function to sanitize it. Basically this code says, if the option is set, then sanitize it as a url. Next we have the custom-title option. The custom-title option should contain a string of text with no markup.
So we can use sanitize_text_field to sanitize it. Basically this code says, if the custom_title option is set, then sanitize it. Next is the custom_style option. This option should contain one of the values defined in the $radio_options array. So, first we check if the option exists. If it does not exist, we set the value to null.
Then this next part checks the value of the option to make sure that it's defined in the array. So if it's not found in the array, the option is set to null. Next we have the custom_message option. This option should contain text and possibly some basic markup. So the validation code checks if the option exists, and if it does, we use the wp_kses_post function to sanitize it.
The next option is for the custom_footer text, which should contain only a string of text. This code checks if the option exists. If it does exist, we sanitize the option with sanitize_text_field, which we've seen previously in this video. Next we have the custom_toolbar option, which should contain a Boolean value that we can validate as either true or false. To sanitize this option, we first check if the option is set.
If not, we set the option value to null. Then we also check the value of the option to make sure that it's either true or false. And last, but not least, we have the custom_scheme option. This option should contain one of the values defined here in the select options array. So, first we check if the custom_scheme option exists, right here, and if it does not exist we again, set the value to null, just like with previous options.
Then, this next part checks the value of the option to make sure that it's defined in the array, and if it's not found in the array, the option is set to null. This is the same basic logic that we used to validate the radio option. Once all of our settings have been validated, we want to make sure to return the input variable, which we do here. Now, with everything in place, we can save the file, and check the results on the plugin page.
To verify that they validation function is working, we can modify the options and click Save Changes. We just want to change the options so that it will be processed and we can check the results. We click Save Changes, and yes, everything looks great. Let's also take a moment to check the Debug log for any errors. And the file is empty, which means no errors. So, we're all good. Now that our validation function is complete, let's tidy things up by moving the function to it's own file.
To do so, we create a new file named, settings-validate.php, and save it in the Admin directory. Let's go ahead and open the php script, and add a comment to keep things organized. Now we can move the entire validation function to its new home. So we return to the settings-callbacks file, and cut the function, and then add it here, in settings-validate.php.
Don't forget to Save Changes as you go. And while we're at it, we also want to add the no direct access code, which we can grab from the same file, and add it to the top of the settings-validate file. So, both of these files, like other php files, will include the no direct access code snippet. Here we have it here. And here we have it here. So, both files are good with that.
And the file now contains our validation function, and the no direct access code snippet. One more step. We need to include the new validation file in the main plugin file. To do so, we duplicate one of these lines, and then change the file name to settings-validate.php. And then Save Changes and done.
We can verify that the validation file is included properly by visiting the plugins page. And everything looks good. While we're here, we also want to verify that saving the settings actually works. So, let's change a few options, and click Save Changes. And yes, everything looks good. When we saved our changes, each of the settings were passed through our new validation function, making each of the options safe and secure.
In this tutorial, we learned how to validate our plugin settings by ensuring that each setting is sanitized according to the expected type of data, we helped to ensure a safe and secure plugin environment, and a more stable and consistent user experience.
- WordPress APIs
- Action and filter hooks
- Activating and deactivating plugins
- Plugin security
- Creating the directory and files
- Adding menus and the settings page
- Inserting custom functionality
- Testing and debugging WordPress plugins
- Creating widgets
- Managing users and roles
- Adding custom post types and taxonomies
- Working with custom fields and database queries
- Using APIs: Transients, HTTP, and REST