I submitted a plugin to wordpress and I got a feedback that I have to escape this one $active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'front_page_options';

If I do like

$get_the_param = esc_html($_GET[ 'tab' ] );

$active_tab = isset( $get_the_param ) ? $get_the_param : 'front_page_options';

Seems to work but as isset ( Cannot use isset() on the result of an expression ) as $_GET is not set it will throw a notice? What can be the possible solution?

Thanks

I submitted a plugin to wordpress and I got a feedback that I have to escape this one $active_tab = isset( $_GET[ 'tab' ] ) ? $_GET[ 'tab' ] : 'front_page_options';

If I do like

$get_the_param = esc_html($_GET[ 'tab' ] );

$active_tab = isset( $get_the_param ) ? $get_the_param : 'front_page_options';

Seems to work but as isset ( Cannot use isset() on the result of an expression ) as $_GET is not set it will throw a notice? What can be the possible solution?

Thanks

• sanitization

• 1 This isn't really a Wordpress question it's a PHP question. Maybe you're looking for the PHP function empty() instead of isset() to check if $_GET['tab'] had anything in it? – mozboz Commented Aug 11, 2020 at 19:05
• @mozboz esc_html($_GET[ 'tab' ] ); this will throw error even before that – user145078 Commented Aug 11, 2020 at 19:16
• so you need to use empty, or isset or something similar before you do that then? – mozboz Commented Aug 11, 2020 at 19:19
• @mozboz Do you think this needs escaping? – user145078 Commented Aug 11, 2020 at 19:23
• Sanitising inputs is a very good idea – mozboz Commented Aug 11, 2020 at 19:25

1 Answer 1

The proper way to do that is using filter_input(). Here is an example for using a custom sanitize function:

$tab = filter_input(
    INPUT_GET, 
    'tab', 
    FILTER_CALLBACK, 
    ['options' => 'esc_html']
);

$tab = $tab ?: 'front_page_options';