Wordpress - How to properly validate data from $_GET or $_REQUEST using WordPress functions?

WordPress doesn't provide any specific data validation functions for SUPERGLOBALS.

I use the PHP filter_input function then escape it as I would any untrusted variable.

$url = filter_input( INPUT_GET, 'some_query_string', FILTER_VALIDATE_URL );

echo '<a href="'. esc_url( $url ). '">Click Me</a>';

The PHP filter input accepts:

  • Validate filters
  • Sanitize filters
  • Other filters
  • Additional Filter flags

To your specific example:

You sanitized the $_GET data appropriately (thought I would use sanitize_key instead of sanitize_title -- can't say there's much of a difference, but sanitize_title is intended for use in URLs).

The method_exists function will return true for private and protected methods, so if a user tries to call a private or protected method, it'll fail without going to the 404. (Unless the display_admin_page method is in the same class.)

That brings us to the main potential exploit: that absolutely anyone can force any public method in your class to run. If possible, it's always better to specifically whitelist what can be accepted. That way you could validate with something like:

if ( !in_array( $_GET['page'], array( 'accepted_method', 'another_accepted_method' ) ) )