Working on a site that allows users to register from the front end as "subscribers."
I'm adding a couple fields to the Registration Form so they can fill in first and last names in their profile without having to go to the backend. The code below is more or less from the Codex.
My question: WP is using update_user_meta, which in turn calls update_metadata, so this is sanitized and safe to save to the database this way, correct? Just want to verify that I don't need to do additional security in plugin code I'm using:
// Add a new form element...
add_action('register_form','hz_register_form');
function hz_register_form (){
$first_name = ( isset( $_POST['first_name'] ) ) ? $_POST['first_name']: '';
?>
<p>
<label for="first_name"><?php _e( 'First Name' ) ?><br />
<input type="text" name="first_name" id="first_name" class="input" value="<?php echo esc_attr(stripslashes($first_name)); ?>" size="25" /></label>
</p>
<?php
$last_name = ( isset( $_POST['last_name'] ) ) ? $_POST['last_name']: '';
?>
<p>
<label for="last_name"><?php _e( 'Last Name' ) ?><br />
<input type="text" name="last_name" id="last_name" class="input" value="<?php echo esc_attr(stripslashes($last_name)); ?>" size="25" /></label>
</p>
<?php
}
// Add validation. In this case, we make sure first_name is required.
add_filter('registration_errors', 'hz_registration_errors', 10, 3);
function hz_registration_errors ($errors, $sanitized_user_login, $user_email) {
if ( empty( $_POST['first_name'] ) || empty( $_POST['last_name'] ) )
$errors->add( 'name_error', __( '<strong>ERROR</strong>: Please include your first and last names.' ) );
return $errors;
}
// Save extra registration user meta.
add_action('user_register', 'hz_user_register');
function hz_user_register ($user_id) {
if ( isset( $_POST['first_name'] ) )
update_user_meta($user_id, 'first_name', $_POST['first_name']);
if ( isset( $_POST['last_name'] ) )
update_user_meta($user_id, 'last_name', $_POST['last_name']);
}