[wp-hackers] Removing empty values from serialized array

Otto otto at ottodestruct.com
Thu Aug 5 18:10:33 UTC 2010


Your data validation function needs to be smarter.

Your validation function basically looks like this:

function validate($input) {
.. do some stuff to validate $input ..
    return $input;
}

This is actually wrong and somewhat unsafe. The $input is untrusted
data. What should be returned is *trusted* data. What if I was to
forge a new input of options[bad-thing] = 'malicious' and to send that
to your form? Your validation function isn't validating the
"bad-thing" option, so it passed right through, unchecked.

Instead, you should do this:
function validate($input) {
   $output = array();
.. do some stuff to validate $input, but copy the validated values
into $output..
    return $output;
}

In this way, *only* the values you are checking make it through the function.

Then, all you have to do for a blank value is to not put it into the
$output array at all.

-Otto



On Thu, Aug 5, 2010 at 12:44 PM, Dan Gayle <dangayle at gmail.com> wrote:
> I have an options setting page that uses the register_setting() and
> settings_fields() functions to store my data in a serialized array,
> following the example set by Ozh here:
> http://planetozh.com/blog/2009/05/handling-plugins-options-in-wordpress-28-with-register_setting/
>
> When this field is unchecked, the key/value pair in the ozh_sample
> array is completely removed:
> <input name="pms_options[option1]" type="checkbox" value="1" <?php if
> (isset($options['option1'])) checked('1', $options['option1']); ?> />
>
> When this field is left blank, however, the value is blank, but the key remains:
> <input type="text" name="pms_options[affiliateID]" value="<?php echo
> (isset($options['affiliateID']) ) ? $options['affiliateID'] : NULL ;
> ?>
>
> So my question is twofold: why does the checkbox go away completely,
> and how can I get an empty options array key to go away? I've tried
> unsetting it, setting it to NULL, everything I can think of. How can
> you get rid of an empty value from a serialized array?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list