My gut tells me wrapping esc_attr() in intval() is redundant when it comes to escaping input, but I would like to double-check.
Also: considering that <option value="">- select no. -</option> is hardcoded/value is null, that chunk of input wouldn't need to be escaped, correct?
Here is my current code set-up:
<select name="_number">
<option value="">- select no. -</option>
<?php
$savedNo = intval( get_post_meta( $post->ID, '_number', true ) );
for ($x = 1; $x <= 100; $x++) {
echo '<option value="'
. intval(esc_attr($x)) . '"'
. ($x === $savedNo ? ' selected="selected"' : '' )
. '>'
. 'No. ' . intval(esc_attr($x))
. '</option>';
}
?>
</select>
Thank you!
My gut tells me wrapping esc_attr() in intval() is redundant when it comes to escaping input, but I would like to double-check.
Also: considering that <option value="">- select no. -</option> is hardcoded/value is null, that chunk of input wouldn't need to be escaped, correct?
Here is my current code set-up:
<select name="_number">
<option value="">- select no. -</option>
<?php
$savedNo = intval( get_post_meta( $post->ID, '_number', true ) );
for ($x = 1; $x <= 100; $x++) {
echo '<option value="'
. intval(esc_attr($x)) . '"'
. ($x === $savedNo ? ' selected="selected"' : '' )
. '>'
. 'No. ' . intval(esc_attr($x))
. '</option>';
}
?>
</select>
Thank you!
Based on WordPress documentation for esc_attr function, it is returning a string value. So, If you need to have the integer value, you need using intval function. But, when you want to display that value or put it as part of markup, it doesn't make sense.
Escape functions are useful for outputting and printing values. If you want to save a value in the database, the data type is a matter and you may need to use intval function alongside sanitization.
In your case you don't need any of these functions on $x, because its values are created by for loop and are safe.