Securing (sanitizing) Input

Securing input is the process of sanitizing (cleaning, filtering) input data.

You use sanitizing when you don’t know what to expect or you don’t want to be strict with data validation.

Any time you’re accepting potentially unsafe data, it is important to validate or sanitize it.

Remember: Even admins are users, and users will enter incorrect data on purpose or on accident. It’s your job to protect them from themselves.

Sanitizing the Data

The easiest way to sanitize data is with built-in WordPress functions.

The sanitize_*() series of helper functions are super nice, as they ensure you’re ending up with safe data, and they require minimal effort on your part:

Top ↑

Example

Let’s say we have an input field named title.

<input id="title" type="text" name="title">

You can sanitize the input data with the sanitize_text_field() function:

$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );

Behind the scenes, sanitize_text_field() does the following:

  • Checks for invalid UTF-8
  • Converts single less-than characters (<) to entity
  • Strips all tags
  • Removes line breaks, tabs and extra white space
  • Strips octets