Wordpress - Data sanitization: Best Practices with code examples

This codex page explains it pretty well I think.

The most important and commonly used function is probably esc_attr. Take this example:

<a href="<?php print $author_url; ?>" title="<?php print $author_name; ?>"> 
  <?php print $author_name; ?>
</a>

If $author_name contains a " character you get your attribute closed, and if that character is followed by onclick="do_something();" it could get worse :)

Doing print esc_attr($author_name) ensures that such characters are encoded, and the browser doesn't do things it is not supposed to do.

There's one case where you don't need it: when you are expecting a number, in which case you can just cast the input data to integer, for example:

print (int)$_POST['some_number'];


The meta* functions you listed there already take care about sanitizing the input for database storage, so you don't need to worry about that.

The wpdb->prepare() method needs to be used when you do the DB queries yourself. Here's an example:

$sql = $wpdb->prepare('
    UPDATE wp_posts SET post_title = %s WHERE ID = %d', 
      $_POST['title'], $_POST['id']);

$wpdb->query($sql);

The %s and %d keywords will get replaced with your sanitized $_POST values.

A very common mistake I see in many plugins in the WP.org repository is to pass an already prepared query to it (and badly prepared), like:

$wpdb->prepare('UPDATE wp_posts SET post_title = \''.$_POST['title'].' WHERE ...

Don't do this :)

Also, does sanitization needs to be done differently when echoing HTML in PHP as against PHP inline of HTML?

Both the above statements achieve the same thing. But do they need to be santized differently?

No.


This video by Mark Jaquith cleared it all up for me. http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/