[Blocker] Lack of data validation and sanitization in `ctx_save_invoice_details`

[coreymckrill]

This function uses several raw values directly from $_POST, most without checking to see if they exist first. It also saves some of these $_POST values to the database without doing any kind of sanitization first.

1. I would recommend using something like filter_input_array to retrieve all of the needed $_POST values and then bail if any of them are missing.
2. Any values saved to the database should be run through sanitization functions such as absint or sanitize_text_field beforehand. Even if the values are all escaped properly on output, it's better to ensure that the database doesn't contain anything broken or malicious in the first place.

[avillegasn]

I've added data validation and sanitization in ctx_save_invoice_details. I didn't use filter_input_array due to the multidimensional aspect of the input data. Please @coreymckrill check the code again and let me know if I need to fix anything 👍

[coreymckrill]

@avillegasn Thanks, this looks good to me. There are still two $_POST parameters that are called directly before checking if they exist, $_POST['order'] and $_POST['invoice_metas']. You could probably just add them to the isset check at the top, though.