Instead of looping through the array, use this:
map_deep( $form_data, 'sanitize_text_field' );
(see the User Notes in the function doc: https://developer.wordpress.org/reference/functions/sanitize_text_field/ )
The docs state that
Checks for invalid UTF-8,
Converts single < characters to entities
Strips all tags
Removes line breaks, tabs, and extra whitespace
Strips percent-encoded characters
So you could also use the map_deep() process to sanitize $_POST.
But note also that the docs say:
This function is not for protecting against SQL injection, so please
don’t use it in your database queries. In most cases using
https://developer.wordpress.org/reference/classes/wpdb/prepare/ with
placeholders is best for database queries.
Related Posts:
- What’s the difference between esc_* functions?
- is_email() VS sanitize_email()
- How to escape custom css?
- vs WordPress Security
- How Could I sanitize the receive data from this code
- Do we need to escape data that we receive from theme options?
- How WordPress sanitizes post content on save? Or it doesn’t?
- How does the SQL injection from the “Bobby Tables” XKCD comic work?
- Should I escape wordpress functions like the_title, the_excerpt, the_content
- In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
- How safe / sanitized is wp_insert_posts()?
- When to use esc_html and when to use sanitize_text_field?
- From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
- What is the difference between esc_html filter vs attribute_escape filter?
- Sanitize and data validation with apply_filters() function
- How to properly validate data from $_GET or $_REQUEST using WordPress functions?
- What to use instead of wp_kses() in user output
- Which KSES should be used and when?
- Do Cookies Need to be Sanatized Before Being Saved?
- Do you need to escape hard coded plain text?
- Do I need to use the esc_html() function on hard coded links?
- Sanitizing comments or escaping comment_text()
- Is default functions like update_post_meta safe to use user inputs?
- Who is responsible for data sanitization in WordPress development?
- Something is unescaping all html entities before output to browser [closed]
- Is wp_kses the right approach in sanitizing this string?
- Is it sensible to worry about sanitizing admin input in plugin custom CSS?
- What is the safe way to print tracking code / pixel code before tag or tag
- Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
- Does meta-data need to be sanitized?
- How to escape multiple attribute at once in WordPress?
- should I escape a literal url added in functions.php
- esc_url, esc_url_raw or sanitize_url?
- What is the difference between a cer, pvk, and pfx file?
- Why should I use the esc_url?
- Why escape if the_content isnt?
- Full path disclosure on rss-functions.php
- Are the default salts secure?
- Moving wp-config.php: Can this be done after site launch?
- How to secure or disable the RSS feeds?
- How to get WordPress to save upload file beyond web root [closed]
- Is security a problem in WordPress?
- Moving wordpress out of the public directory
- Escaping built-in WP function return strings
- Logout via Subdomain, non-wordpress page on a different server?
- How can I tell who changed the password?
- WordPress website Security [closed]
- Can’t reset WordPress password
- Is the “lost password” feature truly a vulnerability?
- why is esc_html() returning nothing given a string containing a high-bit character?
- Is it possible to reduce the minimum character length for passwords?
- Handling email piping attachments and detecting unsupported file types
- Is it good security advice to install wordpress in subdirectory but link to root?
- Why was my blog post inserted lot’s of ad links by others?
- Should I Worry About SQL Injection When Using wp_insert_post?
- Settings API – sanitize_callback is not called and it leads to an incorrect behavior
- Is there a way for a user to have an alias?
- Best Practice for Validating and Sanitizing Data
- Security threat with `home_url`?
- When is wp_set_password() called or how to capture a password
- Frequently getting attacks on admin-ajax.php, wp-cron.php, xmlrpc.php and wp-login.php
- How to get WordPress to send Password Reset Link Email instead of New Password?
- Verifying that I have fully removed a WordPress hack?
- Large Session Tokens
- How to change permissions of WordPress and/or apache on macOS securely?
- Using an Encryption class in a WordPress Plugin
- Config file with no Keys..?
- How much should I worry about these messages?
- Security concerns with external links
- Uploading .webm format on WordPress results in security guidline breach and fail
- fail2ban to prevent Brute Force Attacks on WordPress?
- .htaccess password protection bypassed
- Session Cookie security questions
- Storing FTP details in wp-config.php
- Spam injected in w3 total cache page cache [closed]
- How to distinguish between a hack and an encoding error?
- Prevent editor from adding script or form
- How do I sanitize the str_replace function in javascript variables
- How to change location of wp-config.php to folder or 2 folders up?
- Finding where a snippet of code is coming from
- Safely store code(html/js..) into database
- Remove hacked code – out of ideas! [closed]
- After limiting the access to my wp-login.php by IP through .htaccess, all my password-protected posts stopped working. What’s the best solution now?
- Security: Critical backend outside of wordpress
- Advice On How to Backup WordPress
- My site thinks it’s secure when it is fact not
- Is it possible to only have the admin interface bind to the local loopback?
- Should I change the default file and folder permissions?
- WordPress exploited theme is causing high io load on server
- How to rewrite rules for WP-security in Nginx?
- How to set custom validation for WordPress Passwords?
- Is it a bad idea to CHMOD 777 all the files on your site?
- How to stop repeated hack on header.php of custom theme? [closed]
- Default installation permissions for wp-config.php
- checking the form submit in right order
- Our security auditor is an idiot. How do I give him the information he wants?
- I am under DDoS. What can I do?
- How do I protect my company from my IT guy? [closed]
- Does changing default port number actually increase security? [closed]
- WordPress – tracking options