Trusting external data without validation:
- Security vulnerabilities - SQL injection, XSS, file uploads
- Application crashes - Unexpected data types or structures
- Data corruption - Invalid data saved to database
- Poor user experience - Cryptic errors when things break
// DANGEROUS: Trusting API response
$data = json_decode( wp_remote_retrieve_body( $response), true);
echo $data['temperature']; // What if key doesn't exist?
// SAFE: Validate everything
$data = json_decode( $body, true);
if ( JSON_ERROR_NONE !== json_last_error()) {
return null; // Invalid JSON
}
if ( !isset( $data['temperature']) || !is_numeric( $data['temperature'])) {
return null; // Missing or invalid field
}
return ( float) $data['temperature'];- Response code (200 OK?)
- JSON validity
- Required fields exist
- Correct data types
- Reasonable values
- File exists
- File type (MIME)
- File size
- Filename safety
- No malicious content
- Required fields present
- Correct data types
- Value ranges
- Format (email, URL, etc.)
- File exists
- Readable
- Valid format
- Expected structure
// Type validation
filter_var( $value, FILTER_VALIDATE_INT)
filter_var( $email, FILTER_VALIDATE_EMAIL)
filter_var( $url, FILTER_VALIDATE_URL)
// WordPress validation
is_email( $email)
validate_username( $username)
sanitize_text_field( $input)
// Structure validation
isset($array['key'])
is_array($data)
count($array) === 3✅ Validate ALL external data
✅ Check response codes
✅ Validate JSON/XML structure
✅ Check data types
✅ Verify file uploads
✅ Use filter_var()
✅ Whitelist, don't blacklist
❌ Don't trust API responses
❌ Don't trust user input
❌ Don't trust file uploads
❌ Don't trust environment variables
❌ Don't assume structure
❌ Don't skip type checking