科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>plugins - Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?

    plugins - Is Wrapping intval() Around esc_attr() Redundant for Escaping Input?

    programmeradmin5浏览0评论

    My gut tells me wrapping esc_attr() in intval() is redundant when it comes to escaping input, but I would like to double-check.

    Also: considering that <option value="">- select no. -</option> is hardcoded/value is null, that chunk of input wouldn't need to be escaped, correct?

    Here is my current code set-up:

            <select name="_number">
        <option value="">- select no. -</option>
            <?php
            $savedNo = intval( get_post_meta( $post->ID, '_number', true ) );
            for ($x = 1; $x <= 100; $x++) {
                echo '<option value="'
                    . intval(esc_attr($x)) . '"'
                    . ($x === $savedNo ? ' selected="selected"' : '' )
                    . '>'
                    . 'No. ' . intval(esc_attr($x))
                . '</option>';
            }
            ?>
        </select>

    Thank you!

    My gut tells me wrapping esc_attr() in intval() is redundant when it comes to escaping input, but I would like to double-check.

    Also: considering that <option value="">- select no. -</option> is hardcoded/value is null, that chunk of input wouldn't need to be escaped, correct?

    Here is my current code set-up:

            <select name="_number">
        <option value="">- select no. -</option>
            <?php
            $savedNo = intval( get_post_meta( $post->ID, '_number', true ) );
            for ($x = 1; $x <= 100; $x++) {
                echo '<option value="'
                    . intval(esc_attr($x)) . '"'
                    . ($x === $savedNo ? ' selected="selected"' : '' )
                    . '>'
                    . 'No. ' . intval(esc_attr($x))
                . '</option>';
            }
            ?>
        </select>

    Thank you!

    • plugins
    • php
    • plugin-development
    • post-meta
    • escaping
    Share Improve this question edited Jan 23, 2020 at 18:06 gardinermichael asked Jan 23, 2020 at 17:39 gardinermichaelgardinermichael 155 bronze badges
    Add a comment  | 

    2 Answers 2

    Reset to default 2

    Based on WordPress documentation for esc_attr function, it is returning a string value. So, If you need to have the integer value, you need using intval function. But, when you want to display that value or put it as part of markup, it doesn't make sense.

    Escape functions are useful for outputting and printing values. If you want to save a value in the database, the data type is a matter and you may need to use intval function alongside sanitization.

    In your case you don't need any of these functions on $x, because its values are created by for loop and are safe.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论