Coding Standards
- Always use single quotes, never double quotes
- Vertical space is poetry; curly braces on same line.
- Use whitespace for readability.
Avoid Raw SQL
- Use $wpdb object
- Use $wpdb->prepare() if SQL is needed.
- Use existing table if possible instead of custom tables.
- prepare() method handles santization and quotes. No reason not to use it.
Use the esc_* API
- Provides sanitization against XSS and SQL injection attacks.
- esc_html(), esc_attr(), esc_js(), esc_url() – uses are obvious.
- Trust no arbitrary data, even your own.
Use Nonces (Number Only Used Once)
- Use for single-use action (forms)
- Add wp_nonce_field() to all forms
Use The Shortcode API
- Allows javascripts/embeds in post safely.
- Functions: shortcode_atts() and add_shortcode()
- Shortcodes are wave of the future for WP.
Leave a Reply