Don’t Be Shy to Use sprintf with WordPress

Don’t be shy to use the printf and sprintf functions with WordPress. It makes code much easier to read. Take a look at the following examples.

echo '<a href="' . get_permalink() . '" class="link">' . get_the_title() . '</a>';

It looks quite dirty and it’s very easy to miss a quote or double-quote. Here’s one that looks a lot cleaner and easier to read:

printf( '<a href="%s" class="link">%s</a>', get_permalink(), get_the_title() );

And here’s a slightly less clean, but more secure example:

printf( '<a href="%s" class="link">%s</a>', esc_url( get_permalink() ), esc_html( get_the_title() ) );

You might think escaping the permalink and the post title is not necessary, and you’re right. However, it’s considered best practice to escape as late as possible, which is often right before the output. Here’s a more complex example, taken from the Twenty Twelve theme:

$date = sprintf( '<a href="%1$s" title="%2$s" rel="bookmark"><time class="entry-date" datetime="%3$s" pubdate>%4$s</time></a>',
    esc_url( get_permalink() ),
    esc_attr( get_the_time() ),
    esc_attr( get_the_date( 'c' ) ),
    esc_html( get_the_date() )
);

It also makes use of argument swapping, which is very common when working with translation functions, mainly because RTL languages would need to swap things around. It’s also very convenient to read when there are two or more placeholders.

You can learn more about sprintf (with a bunch of cool examples) in this article, and about escaping and data validation right here.

Thanks for reading and have a great day!

Github’s Asking for my Password

“Why is Github asking me to input my username and password when I try to push changes to a repository I own?” I asked this myself a couple of times before I figured out I had cloned it the wrong way:

git clone https://github.com/kovshenin/publish.git .

As opposed to:

git clone git@github.com:kovshenin/publish.git .

Where the former will use the HTTP protocol, and thus require basic authentication (username and password), and the latter will use the SSH protocol, and will try to use my SSH key instead, for password-less authentication. The former will work, but you’ll have to keep entering your username and password every time. The latter is more secure.

Simple, but tricky. No, I don’t use a GUI for version control, and neither should you, trust me :)

Quick Tip: How to Make Tweet Embeds Responsive

Twitter embeds were introduced in WordPress 3.4, allowing you to insert tweets by pasting a link to that tweet on a line of its own, in you post or page content. However, many responsive themes (including mine) resulted in broken layouts on narrow screens, since the embedded tweet will get a fixed width of 550 pixels. After a little poking around, I found an easy way to solve this with some CSS magic:

.entry-content .twitter-tweet-rendered {
    max-width: 100% !important;
}

Where entry-content is the class name of your content wrapper, which can be different for different themes. This will make sure that the rendered tweet block will scale along with its container. Obviously, if your existing theme is not responsive, this trick will probably not work, try Twenty Eleven ;)

You can also try stripping out the width argument by filtering on oembed_result like Otto mentioned but I think CSS is the better way to go. Tested on Android and iOS 5.

Update: Created a core ticket for Twenty Eleven and Twenty Twelve — #21680.

Tip: get_posts will suppress_filters by default

I was wondering why my posts_where filter was not being executed on my WordPress query and after a bit of poking around, I figured out that get_posts sets suppress_filters to true, unless specified otherwise, making WP_Query skip a bunch of SQL filters, including the posts_where I was trying to set. So learn the easy way — get_posts will suppress filters by default.

Hopefully this won’t be such a problem when when date_query makes it into core, since one of the most popular uses for posts_where is better date filtering.

Nonces on the Front End is a Bad Idea

Here’s a tip! Don’t add nonce fields on the front end of your site for logged out users. That may cause trouble with page caching plugins, which will serve HTML from cache with the nonce field, even if the nonce has expired. Also, nonces don’t really help prevent spam in contact forms, etc., especially for anonymous visitors. Nonces are used for security.

Go Beyond Draft-Publish-Pending in WordPress

If Draft, Pending, and Publish don’t suit your needs, you can always add more with register_post_status, which will take care of pretty much everything, except the admin UI where you actually have to pick a post status. Ticket #12706 takes care of that, so feel free to try out the existing patches, and report back to Trac.

Meet the WordPress Honey Badger

I can’t believe I missed this awesome blog called WP Honey Badger. It has some sweet tips on how not to do stuff in WordPress, along with links to relevant articles and Codex entries. The blog is quite slow to load, but that’s probably because the WP Honey Badger “don’t give a shit” about good hosting.

Konstantin Kovshenin

WordPress, Automattic and Open Source

Tag Archives: tips