Is values passed to WooCommerce update_meta_data method fully sanitizing? - wordpress

I'm writing a WordPress plugin in which there is an input form for users with which they can add notes. I'm using WooCommerce update_meta_data method to save notes in database.
Considering this code:
$note = isset($_POST['order_note']) ? sanitize_text_field($_POST['order_note']) : '';
$order->update_meta_data('_order_note', wp_json_encode($note));
$order->save_meta_data();
I know that update_post_meta sanitizes data (SQL Injection) before inserting it into database but how about update_meta_data ?
Is above code safe to use for inserting data in database?

update_meta_data
As far as I can see on the woo's update_meta_dataSource Code, there is not any sanitizing function getting called.
update_metadata
On the other hand, if you take a look at the wordpress update_metadataDocs, there are two sanitizing functions getting called:
sanitize_keySource Code
and
sanitize_metaSource Code
So to answer your question, yes I would use a sanitizing function too before I update the meta data using update_meta_data.
In order to do that, sanitize_text_field would usually get the job done fine, but if you want to be sure that you're using the right sanitizing function, then use sanitize_metaDocs instead. That's what wordpress itself is using. Security-wise, I, personally, never had any problems using sanitize_text_field nor did I see anybody else having any problems with it. The snippet you provided us with, looks safe to me.

Related

Using handlebars to filter specific products from a JSON object?

Kind of a weird and specific question but here I go.
I can currently pull all my products through YAML and through some really brute-force methods, I would be able to sort the product out by custom fields.
I have a multiple choice wizard the user has to fill and in the end, I get an object that looks something like this:
{
stoneType: ['Granite', 'Quartz', 'Glass'],
stoneFinish: ['Polished', 'Honed'],
stoneConcern: ['Floor Care'],
labels: ['Daily Cleaning', 'Stain Removal']
}
I can't (or at least I don't know how) to get this data into my HTML to use the data stored in my YAML code and render the specific products.
I believe I can solve this issue if I were able to pass the array of products into javascript using some sort of handlebars helper(?) but Bigcommerce doesn't allow for custom helper functions.
I read online that you can bypass this by installing handlebars but that is not working for me.
When I installed handlebars through NPM, I get this error:
GET http://localhost:3000/stencil/00000000-0000-0000-0000-000000000001/dist/theme-bundle.main.js 404 (Not Found)
Is there a way for me to get custom helper functions working or another possible idea to sort & filter the products?
Thank you, appreciate the help.
EDIT: I have also tried manually downloading Handlebars.js including the file but I get the error Handlebars is not defined. I must be doing something wrong...

what is the real use of __return_empty_array in wordpress and when should we use it?

As I have started learning wordpress plugin developement recently but i can't understand the function __return_empty_array. It returns an array but when should we really use it.
__return_empty_array returns an empty array. It is ued to return empty array to filters. For example consider the case of turning off the link of the authors page. You can add the following code to functions.php to get it done.
add_filter ('author_rewrite_rules', '__return_empty_array');
In this case an empty array is returned and __return_empty_array is used for it. Hope you get me.

updated_{$meta_type}_meta not firing, but updated_post_meta is

I'm not sure if I'm using it correctly, but I can't get the updated_{$meta_type}_meta hook to work. There is a updated_post_meta hook which runs when you save a posts meta (and possibly other times, I haven't checked). I can't find much reference to updated_{$meta_type}_meta apart from here, so I don't really understand if I am even hooking it correctly, because I didn't read it properly at first and so thought it should be used like: updated_CPT_meta, but that didn't work, so I tried a meta key instead of the CPT.
My question is, what should $meta_type be ?
Of course I found this straight after I posted
As the page at https://core.trac.wordpress.org/browser/tags/3.8.1/src/wp-includes/meta.php#L0 states, $meta_type Type of object metadata is for (e.g., comment, post, or user).
So, you should just use it as updated_post_meta for any CPTs also.
duh.

What's "function_exists" in Wordpress

Im very new to WordPress. I was going through Smooth Slider WP Plugin and saw
if ( function_exists( 'get_smooth_slider_category' ) ) { get_smooth_slider_category('Uncategorized'); }
This pretty much gives what I wanted, but not quite. This pulls all the content in the category and what Im after is just the image URL.
My question is whats "function_exists" in wordpress? and I checked get_smooth_slider_category in functions.php file but couldnt find any. Can someone please explain how function_exists works?
function_exists is a PHP function, not limited to WordPress.
From the manual "Checks the list of defined functions, both built-in (internal) and user-defined, for function_name."
It returns true or false on whether or not the function exists. So you can either create a new function before it that does something slightly different, or prevent an error if it doesn't exist (normally because the required file hasn't been included).
This is a PHP function that checks if the passed in name matches any defined functions (either internal, or user defined).
It is a way to check if a function is "available" before calling it.

Where can I echo the search SQL for a ?s=words type search?

I am trying to debug the Search Everything plugin, which has worked before for me on sites but not working(returns zero results) on a current site. If I could see what sql was being performed, I could get a better idea of whats wrong. This is for a normal search box type search of posts and pages, etc.
The SQL is generated in the get_posts() function in wp-includes/query.php. If that link doesn't take you to the right spot, search the function for if ( !empty($q['s']) ).
Looks like the posts_search filter is called immediately after that block, so you could hook into that to dump the generated SQL to a file (if echoing doesn't work).

Resources