ERROR | Detected usage of a non-sanitized input variable: $_POST
What WPCS is asking us to do is sanitize the input data before we use it. Exactly how that is done will depend on the type of data that $_POST['foo']
is. If it is a URL, we would use esc_url_raw()
to sanitize it. If it is an email address, we’d use sanitize_email()
. If it is just a generic string of text, we’d use sanitize_text_field()
, like this:
if ( isset( $_POST['foo'] ) ) {
$foo = sanitize_text_field( wp_unslash( $_POST['foo'] ) ); // ...
It is also possible that the input data could be a complex array structure. For more information on how to deal with that, see our wiki page on sanitizing array input data.
For a complete list of sanitizing functions which WPCS recognizes, check WordPress\Sniff::$sanitizingFunctions
. You can also check the WordPress plugin handbook for more information.