The correct way to get URL parameter values in WordPress

URL query parameters really come in handy. For example, in eForm we use data from query parameters to pre-populate/prefil form elements.

But what is the most effective, foolproof way to get the data? Is a simple $_REQUEST[ $key ] enough? Of course not. The reasons being:

  • WordPress adds slashes to the $_REQUEST array before-hand. So even if magic quote is turned off, you will get slashes.
  • The raw data can expose to cross site vulnerability like XSS.

So I put together a really simple function to properly get values from the URL parameters. You can use it whereever you like.

<?php
/**
 * Gets the request parameter.
 *
 * @param      string  $key      The query parameter
 * @param      string  $default  The default value to return if not found
 *
 * @return     string  The request parameter.
 */
function get_request_parameter( $key, $default = '' ) {
	// If not request set
	if ( ! isset( $_REQUEST[ $key ] ) || empty( $_REQUEST[ $key ] ) ) {
		return $default;
	}

	// Set so process it
	return strip_tags( (string) wp_unslash( $_REQUEST[ $key ] ) );
}

Here three things are happening.

  • First we check if the request key is present or not. If not, then just return a default value.
  • If it is set, then we first remove slashes by doing wp_unslash. Read here why it is better than stripslashes_deep.
  • Then we sanitize the value by doing a simple strip_tags. If you expect rich text from parameter, then run it through wp_kses or similar functions.

Leave a Reply