Is default functions like update_post_meta safe to use user inputs?

After upvoting @pieter’s answer….

In recent time I came to the realization that it is much better to handle “bad” data gracefully when it is used (usually it means escaping, but also validation) than at input time. Data corruption can happen not only because of some rouge process “shitting” over your data, but also when the enviroment has changed and the data is not as relevant any longer ( a plugin was disabled).

Validation is worth doing if you are going to give some alert to the user, otherwise it might actually be a kind of intermediate state that is hard to protect against and give useful feedback (customizer live changes).

For sanitation, I just use the wordpress APIs for DB access and let them handle that side, but otherwise I feel it is usually waste of time to do anything more then that.

This all depends on context. In your case the question you should ask is whether you even want to sanitize the value, because sanitization means that the value a user request will not be displayed in the same way he wanted it to.

Related Posts:

  1. How safe / sanitized is wp_insert_posts()?
  2. When to use esc_html and when to use sanitize_text_field?
  3. What’s the difference between esc_* functions?
  4. is_email() VS sanitize_email()
  5. Which KSES should be used and when?
  6. How to escape custom css?
  7. Do Cookies Need to be Sanatized Before Being Saved?
  8. vs WordPress Security
  9. How Could I sanitize the receive data from this code
  10. Is wp_kses the right approach in sanitizing this string?
  11. Is it sensible to worry about sanitizing admin input in plugin custom CSS?
  12. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  13. Does meta-data need to be sanitized?
  14. Do we need to escape data that we receive from theme options?
  15. How WordPress sanitizes post content on save? Or it doesn’t?
  16. how to sanitizing $_POST with the correct way?
  17. What’s the best approach for generating a new API key?
  18. Simplest two-way encryption using PHP
  19. How does the SQL injection from the “Bobby Tables” XKCD comic work?
  20. how fix “this certificate cannot be verified up to a trusted certification authority”
  21. How can bcrypt have built-in salts?
  22. Getting a List of Currently Available Roles on a WordPress Site?
  23. What’s the easiest way to stop WP from ever logging me out
  24. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  25. Why are passwords exportable as plain text in WordPress?
  26. Is there a way to force ssl on certain pages
  27. Is sanitize_text_field() is enough to save to DB?
  28. What is the purpose of having a token in cookies?
  29. How to remove “Connection Information” requirement on localhost install of WP on MACOSX
  30. How is password strength calculated?
  31. Regular security checks – what steps should be included?
  32. What are the pros and cons of using a custom front-end to retrieve content from a WordPress back-end
  33. How to sanitize select box values in post meta?
  34. Disable external access to REST API Endpoint
  35. What is the wp-includes/certificates/ca-bundle.crt used for?
  36. Do you need to escape hard coded plain text?
  37. Encrypt emails?
  38. WordPress salts set in config and database
  39. What is the difference between strip_tags and wp_filter_nohtml_kses?
  40. Disallow file edit not preventing plugin install
  41. How to secure WordPress XMLRPC?
  42. What is the relationship between cURL, WordPress and cacert.pem?
  43. How can I find security hole in my wordpress site?
  44. Does WP show me if I’m logged in from multiple locations?
  45. HTTP Security Headers in wp-config
  46. WordPress Malware Problem help! [duplicate]
  47. Restrictive File Permissions
  48. Why are xmlrpc.php and wp-cron.php being called so often?
  49. Using esc_html with HTML purifier and CSSTidy: Overkill?
  50. wordfence scan warning on W3 Total Cache [closed]
  51. Securing a multi-user permission structure
  52. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  53. How does the “authentication unique keys and salts” feature work?
  54. esc_html__ security : what for in this example?
  55. Securing wp-config leads to sensitive information leak on wp-settings
  56. Suspicious Files
  57. What’s the point of forbidding access to wp-config.php?
  58. wp-json and what data does it give away?
  59. Is is necessary to use security plugin for wordpress? [closed]
  60. neccessary?
  61. wp-config.php being written by attacker
  62. XML-RPC errors they know my username?
  63. Is [admin / admin] acceptable for all local websites?
  64. my wordpress website is suspended [closed]
  65. Malware script in database post table only? [closed]
  66. iTheme Security always lockout my account [closed]
  67. WordPress Front end Form – Enable to Submit PHP Codes
  68. Is it safe to hand over the admin rights?
  69. Is it safe use wp_editor in public contact form
  70. Is WordPress MultiSite secure & how much can it scale? [closed]
  71. How safe is current_user_can()?
  72. Is it safe to give wordpress directories ownership to www-data?
  73. How can I force a specific password?
  74. Why does WordPress change a file’s permissions?
  75. Side effects of disallowing *.php requests in production environment?
  76. Outgoing new connection to linked Websites – why?
  77. Input sanitation
  78. Sanitize user input fields before wp_insert_post
  79. My Site keeps crashing due to the wp-confg file being deleted
  80. Someone keeps changing my SITEURL (mysql injection or xss?) [closed]
  81. Who updates the wp-admin/core file?
  82. Replace domain in database
  83. Does this code indicate an exploit?
  84. What highest security brake with wordpress and static files?
  85. Spam in WordPress root folder
  86. Can WordPress admin user + database credentials be used to gain Cpanel or FTP access?
  87. Links to root domain from search engines don’t work, but direct links and links from other referrers do
  88. How can I backup my site if it gets hacked?
  89. Cannot access wp admin of WordPress website (security plugin issue) [closed]
  90. Why are the latest visits to my website originating from my own website?
  91. How do I hide WordPress users from security scanning?
  92. Background Updates Not Happening
  93. wp-config.php file and code injection
  94. Able to go to WordPress admin even after deleting auth cookies from request headers
  95. FORCE_SSL_ADMIN affecting subdomains
  96. What is the best security $_POST method?
  97. Is WordPress ready for GDPR compliance? [closed]
  98. How do you search for backdoors from the previous IT person?
  99. Is wp-cron.php vulnerable to external attacks and how to protect it?
  100. How to address security vulnerabilities: LUCKY13, BEAST, and BREACH