如何清理复选框？

Question

I have googled this, and also searched for an answer here on Stackoverflow. But nothing has really been a clear answer on how to sanitize a checkbox value.

I understand that if my input is:

<input type="checkbox" value="submit_doors">

That someone can replace the value within their dev tools - and this information would be sent to the server.

So how should I go about sanitizing checkbox/radio inputs? Should I be checking the value with (int), should I be sanitizing the value like I do with every other input/select field?

For the record, I'm developing my site using WordPress, and to sanitize a text input for example I am doing this:

$turbo = trim( sanitize_text_field( wp_kses( $_POST['submit_induction_turbo'], $allowed_html ) ) );

Should I be running all these checks over checkboxes too? Or is this overkill?

Answer 1

At first you need to give your input field a name so that you can access it from $_POST variable.

Let's say you have the following input field and you want to sanitize it.

<input type="checkbox" name="door" value="submit_doors">

you can use the function to sanitize any checkbox.

/**
 * Sanitize checkbox
 * @param int | string $input the input value to be sanitized
 * @param int | string $expected_value The expected value
 * @return int | string it returns the sanitize value of the checkbox.
 */
function prefix_sanitize_checkbox( $input, $expected_value=1 ) {
    if ( $expected_value == $input ) {
        return $expected_value;
    } else {
        return '';
    }
}

For example: if you want to check if your user submit the value "submit_doors" from the check box, then you can use the function like this.

$sanitized_value = !empty($_POST['door']) ? prefix_sanitize_checkbox($_POST['door'], 'submit_doors') : ''; // this will return the value only if the checkbox contains the value "submit_doors", otherwise, it will return empty string.

This way, the function is flexible. It can sanitize true false value and 1 and also other string value if passed to the second argument.