Calling ctype_alnum should count as sanitized input

[kkmuffme]

if ( !empty( $_POST['hello'] ) && ctype_alnum( $_POST['hello'] ) ) {
    $hello = $_POST['hello'];
}

Atm it's reported as WordPress.Security.ValidatedSanitizedInput

[jrfnl]

It's a little more subtle than that (from a WPCS point of view):

Using ctype_*() functions don't sanitize the input - the functions return a boolean and don't alter the received variable by ref.

However, it is a valid way to check whether sanitization is needed.

As things are, that kind of checks - whether sanitization is needed - is only taken into account by the ValidatedSanitizedInput sniff for a limited set of circumstances. This would be a new circumstance which would need to be added.

There may be a few more of the ctype_*() functions, like ctype_alpha(), which could be included in such a check.

Refs: https://www.php.net/manual/en/ref.ctype.php