[wp-hackers] best practices for input/output sanitisation?

Ozh ozh at ozh.org
Wed Dec 8 09:34:29 UTC 2010

Best practices:

- use the Settings API http://codex.wordpress.org/Settings_API which is 
standardized and makes it easy to hook in validating/sanitizing functions

- sanitize functions: several functions are available in 
wp-includes/formatting.php. Page 
http://codex.wordpress.org/Data_Validation has good stuff


> Hi all
> I would appreciate advice on what the definitive way is of handling 
> data received from forms, and storing it in a plugin's database 
> table. Specifically, text boxes and text areas. What filters should 
> be run on the data prior to it being inserted in to the database, 
> and what filters should be run on the data prior to display? I 
> appreciate that many filters can be run, especially on output, so I 
> am hoping someone can provide a list of the essentials to do it safely.
> To give some context, this example text box would be the name of a 
> doodad (similar to a post's title), and the text area would be the 
> content associated with this doodad (incl. possible HTML, similar to
> a post's content). This is meant to be an abstract, easy-to-
> understand example; saying "use custom post types" will not help me 
> learn which filters to use :)
> I'm asking because I'm reviewing the way some of my plugins stores 
> and sanitises its data, and while I think I have a good 
> understanding, I would greatly appreciate clarification from the 
> collective geniuses on this list. Thanks.
> Regards
> Paul Gibbs
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list