Title: Using sprintf in shortcode
Last modified: August 30, 2016

---

# Using sprintf in shortcode

 *  Resolved [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/)
 * Hi,
 * I have a page-template that displays a form via a shortcode, I use this to display
   the form:
 *     ```
       echo do_shortcode( '[my-form]' );
       ```
   
 * I want a text input field in backend so user can insert shortcode attributes (
   so user can rename form labels). My field is called ‘attributes’.
 * I use this to display the shortcode in page-template, including inserted attributes.
 *     ```
       $content = sprintf('[my-form %s]', esc_attr($instance['attributes']) );
       if ( !empty( $instance['attributes'] ) ) {
       	echo do_shortcode( $content );
       }
       ```
   
 * Code works, but can I use a sprintf in this case?
    Because it has nothing to 
   do with a ‘normal’ text string.
 * Guido

Viewing 14 replies - 1 through 14 (of 14 total)

 *  [Chris Mok](https://wordpress.org/support/users/chris_dev/)
 * (@chris_dev)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862304)
 * Hi Guido,
 * I’m not sure about using sprintf.
    But I normally do it like below:
 * $content = ‘[my-form’;
    if ( !empty( $instance[‘attributes’] ) ) { $content =‘‘.
   $instance[‘attributes’]; }
 * $content = ‘]’;
    //echo $content; echo do_shortcode( $content );
 * Hopefully it helps you.
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862321)
 * Thanks, I like that, clean and simple 🙂
 * Guido
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862349)
 * Hi again,
 * Justed tested it, but does not work. This part isn’t correct I think:
 *     ```
       $content = ' '.$instance['attributes'];
       ```
   
 * So I changed it into this:
 *     ```
       $content = '[my-form';
       if ( !empty( $instance['attributes'] ) ) {
       	$content = $instance['attributes'];
       }
       $content = ']';
       echo do_shortcode( $content );
       ```
   
 * But now only ] is displayed in frontend.
 * Guido
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862367)
 * Hey Guido,
 * You are repeatedly assigning new values to $content in your use of ‘=’ . In order
   to append more content to the existing value you need to use the combination 
   concatenation/assignment operator ‘.=’ (dot equals) in all but the first use 
   of ‘=’ .
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862377)
 * Hi BC,
 * Of course, stupid me:
 *     ```
       $content = '[my-form ';
       if ( !empty( $instance['attributes'] ) ) {
       	$content .= $instance['attributes'];
       }
       $content .= ']';
       echo do_shortcode( $content );
       ```
   
 * Guess I should use this in stead of a sprintf?
 * Guido
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862385)
 * I hate it when I make a silly mistake for all to see. Still, it seems I continue
   to do so almost every day 🙂
 * Either way will work. `sprintf()` doesn’t output anything despite the use of “
   print”. You still need to echo out what ever is returned, so it mainly comes 
   down to personal preference.
 * Whichever way you go, be sure that you use `$instance['attributes']` only inside
   the `if( !empty())` logic otherwise warnings or errors will be triggered if it
   is not defined.
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862407)
 * I normally use the sprintf only for text related strings, so that’s why I was
   wondering.
 * Thanks again for your detailed explanation! Btw, do you also have your own (portfolio)
   website? Just curious.
 * Guido
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862412)
 * Shortcodes are essentially text expanders, so still text strings, and whatever
   works with strings is fair game!
 * Yeah, there’s a website, but it’s not a portfolio. It’s kind of a blog, but curiously
   it’s not WP based! Hand coded 🙂 Recently it’s been mostly articles about hacking
   WP, things not covered too well in the Codex. I’ve occasionally referred people
   there though I try to use wordpress.org resources when possible. The [plugin developer’s handbook](https://developer.wordpress.org/plugins/intro/)
   has a lot of good stuff, I contributed to it based on some of [my website’s](http://glennmessersmith.com)
   articles. (The AJAX and Meta box sections of the handbook FWIW)
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862415)
 * Hi ‘bc’,
 * I will definitely take a look, thanks.
 * Guido
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862469)
 * Unfortunately shortcode is not allowed for themes:
    _ The theme uses the add\
   _shortcode() function. Custom post-content shortcodes are plugin-territory functionality.
 * So I have to think about another solution or remove the shortcode again.
 * Have a nice couple of days 🙂
 * Guido
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862476)
 * Your theme is using something like
    `echo do_shortcode( '[my-form]' );` So there
   must be something like `add_shortcode('my-form', 'my-form-handler');`
 * Instead of all the shortcode stuff, you could just do
    `echo my-form-handler();`
 * Of course passing attributes would no longer work, but you could pass parameters
   the normal way
    `my-form-handler( $instance['attributes'] )` Then in the handler
   function, the values in `$instance['attributes']` could be extracted and used.
   Naturally, then the function no longer works as a shortcode handler, but it serves
   the ultimate purpose of outputting relevant content none the less. Thus you essentially
   have a template tag instead of a shortcode, which are certainly acceptable in
   themes.
 * FYI, shortcodes will work in themes just fine (as you know), but themes are supposed
   to style and format content, not generate content. Shortcodes generate content,
   that is why there’s an issue. Of course template tags could generate content,
   and shortcodes might only output a theme form, not user content. The division
   between user content and theme content (i.e. forms) is not always clearly defined,
   but generally speaking it’s understandable to not allow shortcodes in themes 
   because of what they are typically used for. If you are not using shortcodes 
   for what they are typically used for, you have other options, like template tags
   🙂
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862477)
 * Hi BC,
 * Thanks again.
 * I was working on a major [theme update](https://wordpress.org/themes/myknowledgebase/)
   including a function to add the shortcode attributes via the Customizer but this
   is rejected because of the shortcode (I now understand why). So I should build
   a function including the attributes and echo the content. Great idea.
 * Another thing, are you able and willing to help me concerning [this](https://wordpress.org/support/topic/malicious-akismet-code-in-header)?
   If yes, I will contact you via your website.
 * Guido
 *  Moderator [bcworkz](https://wordpress.org/support/users/bcworkz/)
 * (@bcworkz)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862479)
 * Oh my! That must be a very disturbing discovery, you have my condolences. I like
   to think I’m pretty good at creative solutions to custom WP coding, but that 
   is not necessarily related to identifying security holes. For that one needs 
   to think like a hacker, but that is not how my mind works. I do not feel I’m 
   qualified to help you in that manner.
 * Still, a fresh set of eyes may be better than nothing, I’d be willing to take
   a quick look to see if anything obvious jumps out. My review would not be any
   kind of indication that your code is safe, but I might notice something. I won’t
   have time until next week. I also cannot look through all of your code (you’ve
   been busy!) Is there a particular theme and/or plugin you suspect more than others?
   You may as well answer here. You never know, someone else may be willing to look
   as well. We’re all part of the same community 🙂
 * BTW, no need to feel responsible for hacks to a site with 777 permissions! I’m
   not that surprised someone would do that, but seriously, what are they thinking?
   Oh, the naiveté of some!
 *  Thread Starter [Guido](https://wordpress.org/support/users/guido07111975/)
 * (@guido07111975)
 * [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862480)
 * Hi,
 * Don’t want to discuss it here anyfurther because it’s off topic and I don’t want
   to get banned 😉
 * _
    The common factor of all websites is they have one of my themes and one of
   my plugins installed.
 * Another common factor is my FTP software because I made a rookie mistake to store
   many logins there. And using a not so poplar FTP client CoreFTP.
 * Guido

Viewing 14 replies - 1 through 14 (of 14 total)

The topic ‘Using sprintf in shortcode’ is closed to new replies.

## Tags

 * [attributes](https://wordpress.org/support/topic-tag/attributes/)
 * [shortcode](https://wordpress.org/support/topic-tag/shortcode/)
 * [sprintf](https://wordpress.org/support/topic-tag/sprintf/)

 * In: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
 * 14 replies
 * 3 participants
 * Last reply from: [Guido](https://wordpress.org/support/users/guido07111975/)
 * Last activity: [10 years, 4 months ago](https://wordpress.org/support/topic/using-sprintf-in-shortcode/#post-6862480)
 * Status: resolved

## Topics

### Topics with no replies

### Non-support topics

### Resolved topics

### Unresolved topics

### All topics