Verifying and Saving User Input

You might have noticed that these form fields contain nonces

(codex.wordpress.org/Wordpress_Nonce_Implementation). A nonce is a number used once, and it's a security precaution you didn't have to take when you created plugins because you were using the settings API, which handled all that for you. Here, you aren't registering any settings. Instead, you are saving user input directly to the database, and you need to verify that the data in $_POST came from a valid source. In order to do that, you create a nonce for each box. The wp_nonce_field() function creates a hidden form field. It can take just one argument, a key you use to check the value later ('course_code_nonce'). If you were using just one nonce, you could leave it at that, and the field's name would be _wp_nonce by default. However, in this form you have two nonces, and you need to give each one a unique name, so you use a second argument to do so.

Finally, you have to write a function to save your custom field data when the post is saved. Anything in the standard meta box would be handled automatically, but custom meta box fields must be updated manually, as shown in Listing 12-24. You need to make sure this function runs every time a post is saved, so use the save_post() action hook.

Listing 12-24. Saving the meta box fields add_action( 'save_post', 'save_course_meta_data' );

function save_course_meta_data( $post_id ) { global $post;

// ignore autosaves if (defined('DOING_AUTOSAVE') && DOING_AUTOSAVE) return $post_id; // check nonces check_admin_referer('course_code_nonce', '_course_code_nonce'); check_admin_referer('instructor_nonce', '_instructor_nonce');

// check capabilites if ( 'course' == $_POST['post_type'] && !current_user_can( 'edit_post', $post_id ) ) return $post_id;

// save the custom fields, one by one

// course code field

// see what the original value was

$storedcode = get_post_meta( $post_id, '_course_code', true ); // remove it from the database delete_post_meta($post_id, '_course_code', $storedcode);

// if the field isn't empty, we need to save it else update_post_meta($post_id, '_course_code', $_POST['_course_code']);

// instructor name field if (empty($_POST['_instructor_name'])) {

$storedname = get_post_meta( $post_id, '_instructor_name', true ); delete_post_meta($post_id, '_instructor_name', $storedname);

else update_post_meta($post_id, '_instructor_name', $_POST['_instructor_name']);

// instructor email field if (empty($_POST['_instructor_email'])) {

$storedemail = get_post_meta( $post_id, '_instructor_email', true ); delete_post_meta($post_id, '_instructor_email', $storedemail);

else update_post_meta($post_id, '_instructor_email', $_POST['_instructor_email']);

First, you need to check whether this save_post action is being called as a result of an autosave. If it is, you don't need to process the custom fields yet, so you return the post ID and exit the function.

Next, you need to check the nonces you created in the form field functions. The check_admin_referer() function would usually take just one argument, the key you provided when you created the nonce. However, since you're using two, you need to use the second argument (the unique identifier). If either nonce fails verification, you again exit the function without saving the fields.

There's one last thing you need to check before you can save the fields: the user's capabilities. Back when you created the course content type, you had the option of specifying an edit capability other than edit_post. Since you didn't, that's the capability you need to check here.

Once you know that you're allowed to save the data, you need to check whether there's anything in each field. If there isn't, you call delete_post_meta() to remove its row from the wp_postmeta table. This function requires three arguments: the post ID, the meta key, and the previously stored value. You can again use get_post_meta() to fetch the stored value so you can pass it to delete_post_meta().

If the fields aren't empty, you need to update them. The update_post_meta() function requires the ID, the meta key, and the new value.

That's it! You can now edit and save the custom fields in their own meta boxes instead of the main Custom Fields box.

Was this article helpful?

0 0

Post a comment