Escaping / encoding data before insert into a database?

You escape on output, what I suspect here is a confusion between escaping sanitizing and validating

  • Sanitise when data arrives. This strips out stuff that shouldn’t be there, e.g. upper case letters in a lower case string, words and letters in a phone number, trailing spaces etc. Sanitising cleans data
    • common sanitising functions include trim, sanitize_key, wp_strip_tags, intval, wp_kses_post, etc
  • Validate data once it’s been sanitised. Is that phone number really a phone number? Did somebody say they were -20 years old? Why does that mans address describe the recipe for cheese pasties? If it doesn’t validate, REJECT the data. If it does, process then store the value.
    • common validation includes regular expressions, is_numeric, checking string length, is_email, etc, validation usually requires context specific checks, e.g. enforcing values sit within a range, or that they appear in a whitelist array
  • Escape when you’re outputting that saved data to the frontend. Do this once and only once, at the moment of output. Don’t return complex HTML fragments in functions, echo them, and escape when you echo. Escaping might mangle your output if unsafe stuff makes it through, but it guarantees that the URL is always a URL, even if it’s a broken URL, that the text is always text, even if it contained a dangerous tag, etc
    • Escaping functions include, but aren’t limited to esc_html, esc_attr, esc_url, wp_kses_post, etc

Note that sanitising and validation happen when data is incoming, data that came from an external source such as the browser.

Escaping happens when data is being sent, to an API/user/browser. Escaping is like the cookie cutter that enforces expectations. If the variable contains a HTML attribute, esc_attr will ensure it’s an attribute, and doesn’t contain anything that’s invalid for an attribute, even if that means mangling the value to make it fit, removing bits. Of course, if you’ve escaped correctly, valid values will never be mangled.

Note that if you escape a value more than once, it can allow carefully crafted data to break out and render malicious output in some circumstances. This is why you only escape on output, and always as late as is possible. Pre-escaped data introduces the headache of having to track what has and hasn’t been escaped, aint nobody got time for that.

With escaping, trust is unnecessary, you should never have to trust that something is safe when you can force it to be safe.

Related Posts:

  1. MySQL SELECT increment counter
  2. Exclude Statement in SQL
  3. Detecting errors generated by $wpdb->get_results()
  4. wpdb update add current timestamp not working
  5. Displaying content from one WP site on separate WP site
  6. Lost the `wp_options` table: what’s the best way to restore the site?
  7. Can a post ID be 0?
  8. How to move existing WordPress wp-content folder along with database to new server and new domain name?
  9. what is the wp_5_posts table in the database?
  10. Migrating data between local and development server
  11. WordPress Database Charset/Collate
  12. How might I retrieve a featured post image from an external WP site and display it as a link back?
  13. What is the database table for pages?
  14. Using Dynamic Data Pulled from a MySQL Table in a WordPress Page
  15. What are conventions about the schema of the $table_prefix
  16. WordPress database becoming huge. How to analyze and optimize it? fear of running out of memory
  17. BuddyPress: What’s the use of wp_bp_xprofile_data table and how does it get updated? [closed]
  18. What’s the most efficient database method to add and query usermeta?
  19. How to solve slow WordPress site caused by attachment_metadata
  20. Is database safe after merging a branch of a more recent version over an older one?
  21. Hook to be used when creating a database table
  22. Delete all post meta except featured image
  23. Where is custom template file chosen for a post stored in the DB?
  24. Large database causes slow load
  25. Safe way to find last inserted id in a table?
  26. Database slowdown after update to 3.4.1
  27. How to insert data into MySQL database from the form created in WordPress site
  28. Emoji support and MariaDB 10.0.30-
  29. WordPress DATABASE Update Manually?
  30. Select Multiple meta_value from WP DB; Single Query
  31. One post carries 30 postmeta values, is this too much?
  32. Is it possible to split database tables using HyperDB?
  33. Show content from database
  34. What happens if I overwrite the current wp_options table with a backup from a week ago?
  35. Critical error in final stage of website launch – URLs are BROKEN!
  36. How do I get WordPress login to ignore the password input if a particular username is used?
  37. Migrating WordPress from DreamHost to Azure WordPress Resource via UpdraftPlus “wp_options table does not exist…” error
  38. “Error establishing a database” connection on some sites
  39. change wp user status from wp_users table
  40. How to Mirror WordPress database from Remote server to Local server
  41. WordPress is not creating table in database after activating plugin,
  42. Is MariaDB’s Aria storage engine suitable for WordPress?
  43. Difficulty importing my live site to local
  44. How do I delete these post types in my WordPress database?
  45. Slow queries constantly getting stuck on WordPress database of ~100,000 posts
  46. How do I query wp_options for expired transient pairs with MySQL commands?
  47. WordPress running SQL query to update database from form
  48. How to fix database error duplicate entry
  49. Use same database on main domain & sub domain
  50. How do I convert a MySQL database from utf8mb4 to utf8 encoding?
  51. WPDB SQL query with prepare() returning variable, not db value
  52. Get value form wordpress database
  53. Why user_pass column in wp_users table is varchar(64)
  54. Why this query is not showing any result on wordpresss home page?
  55. How to migrate a database from a server to another
  56. How to display content from external db with relevant urls
  57. Reinstalling wordpress from database breaks the site
  58. how to count click tab menu and insert to database
  59. Adding prefix to WordPress database tables breaks admin capabilities?
  60. What is the best way to resurrect and update my old WordPress site?
  61. Trouble running $wpdb->query() with last_insert_id
  62. Using $wpdb | checking entered email against existing emails in db
  63. content disappearing minutes after it’s published
  64. What is the most efficient way to reset a WordPress site?
  65. wp-cli: Error establishing a database connection: undefined constant DB_USER
  66. Add pdf to a website
  67. Optimizing function that automatically creates internal links based on post title string
  68. Woocommerce – Check product stock availability from external database
  69. Get results from wordpress data custom table
  70. Outputting query results
  71. Help With a Large WordPress Based MySQL Database on Shared Hosting
  72. Database migration issues – Error #1046 No database selected
  73. Can two domains use the same database?
  74. Search Character Set Problem
  75. _wp_attachment_metadata is not being added to database when PDF files uploaded
  76. How to get the full stack trace for WordPress “table doesn’t exist” error in debug.log?
  77. How to fix Uploaded to this post option to see group of images uploaded to a post?
  78. adding user_id and name to a separate table whenever a user register based on role
  79. How to access a table in a wordpress database using REST API?
  80. How do I loop/iterate through posts to edit all img tags?
  81. User saved through WordPress backend does not show up in database table users
  82. How to edit posts/pages without making the change live?
  83. How to optimise this database query?
  84. How to retrieve user data based on role using SQL?
  85. Adding featured for post using database
  86. get_the_terms is not working
  87. Store id from database query in cookie
  88. Split database on large site?
  89. Store the wordpress “featured image” under »wp_posts« Database table
  90. Return image urls with specific base string?
  91. What WordPress file is saving new users to database
  92. wordpress database error
  93. Restoring .sql backup results in “Error establishing a database connection”
  94. Link to handle $_GET request
  95. WordPress sync with phpbb
  96. “MySQL server has gone away” since update to 3.8
  97. Getting deleted users in database
  98. Getting data from a table using a query
  99. Database interaction (private-public) [closed]
  100. SQL Query to get post_id from wp_posts and and meta_key(s) from wp_postmeta