0

Is there a way to sanitize a $_REQUEST[object] to satisfy the phpcs standards for WordPress? Below is what I have so far but phpcs still errors on the earliest assignment of the request and I cannot figure out how to sanitize without first assigning.

if ( ( isset( $_REQUEST['action'] ) && 'delete' === $_REQUEST['action'] ) || ( isset( $_REQUEST['action2'] ) && 'delete' === $_REQUEST['action2'] ) ) {
    $nonce = isset( $_REQUEST['delete_bulk'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['delete_bulk'] ) ) : '';

    if ( wp_verify_nonce( $nonce, 'delete_bulk' ) ) {
        if ( isset( $_REQUEST['bulkcheck'] ) ) {
            $checks    = $_REQUEST['bulkcheck']; // This generates phpcs errors.
            $bulkcheck = array();
            foreach ( $checks as $key => $val ) {
                $bulkcheck[ $key ] = ( isset( $checks[ $key ] ) ) ? sanitize_text_field( wp_unslash( $val ) ) : '';
            }
        }
        $this->quotes_delete_bulk( $bulkcheck );
        header( 'Location: ' . get_bloginfo( 'wpurl' ) . '/wp-admin/admin.php?page=My-Plugin' );
    } else {
        $this->msg = $this->nonce_error();
    }
}
oooorgle
  • 1
  • 1

1 Answers1

0

See sanitize_key()

if ( ( isset( $_REQUEST['action'] ) && 'delete' === $_REQUEST['action'] ) || ( isset( $_REQUEST['action2'] ) && 'delete' === $_REQUEST['action2'] ) ) {
    $nonce = isset( $_REQUEST['delete_bulk'] ) ? sanitize_text_field( wp_unslash( $_REQUEST['delete_bulk'] ) ) : '';

    if ( wp_verify_nonce( $nonce, 'delete_bulk' ) ) {
        if ( isset( $_REQUEST['bulkcheck'] ) ) {
            $checks    = sanitize_key( $_REQUEST['bulkcheck'] ); // This generates phpcs errors.
            $bulkcheck = array();
            foreach ( $checks as $key => $val ) {
                $bulkcheck[ $key ] = ( isset( $checks[ $key ] ) ) ? sanitize_text_field( wp_unslash( $val ) ) : '';
            }
        }
        $this->quotes_delete_bulk( $bulkcheck );
        header( 'Location: ' . get_bloginfo( 'wpurl' ) . '/wp-admin/admin.php?page=My-Plugin' );
    } else {
        $this->msg = $this->nonce_error();
    }
}
BWBama85
  • 50
  • 5
  • When I select say 10 records to be deleted: `$checks = $_REQUEST['bulkcheck'];` returns: `array(10) { [0]=> string(4) "2027" [1]=> string(4) "2026" [2]=> string(4) "2025" [3]=> string(4) "2024" [4]=> string(4) "2023" [5]=> string(4) "2022" [6]=> string(4) "2021" [7]=> string(4) "2020" [8]=> string(4) "2019" [9]=> string(4) "2018" }` When I sanitize and unslash. returns: `string(0) ""` – oooorgle Sep 04 '22 at 23:00
  • I edited my answer. Please try sanitize_key(). – BWBama85 Sep 08 '22 at 03:51
  • Same result: `string(0) ""` – oooorgle Sep 11 '22 at 02:17