[wp-hackers] Thoughts on the Settings API callback

Philip Walton philip at philipwalton.com
Mon Apr 4 15:18:49 UTC 2011

I've used the settings API for a couple of plugins in my day, and 
overall I have no complaints. The advantages of it are clear and don't 
need to be listed here. However, I'm currently working on a slightly 
more complex plugin, and I'm running into a real issue that I thought 
I'd just share and ask for feedback on:

The sanitize_callback -- the fourth parameter of the `register_setting` 
function -- is not versatile enough. An actual validation callback is 

The sanitization callback is really just a filter 
(sanitize_option_%name%) added before an option is saved to the 
database. This is problematic because it's called whenever 
update_option() is called, which (if you didn't realize that, like I 
didn't at first) can lead to issues of recursion. And it means that any 
error checking logic you do -- such as if ( ... ) { 
add_settings_error(); } -- is called unnecessarily every time you save 
that option to the database.

But the more pressing concern of mine is that no validation is actually 
taking place. Even if you do clever workarounds to restore previously 
submitted data, set the input fields back to what they were, and show 
the proper error message(s), you STILL have to save the option to the 
database. You are not able to simply say, "Sorry, until your fill out 
this entire form correctly, I'm not going to save ANY of it!"

Developers should have the option to return false and do nothing on 
error -- like a true validation function should do. The amount of work 
I'm doing to fake validation is probably more work than if I had just 
not used the settings API at all.

Awaiting feedback informing me either how stupid I am or how much you 
agree. Both are welcome.

More information about the wp-hackers mailing list