You can use wpdb insert function. It’s better in every way. It can care about data’s escapeing itself and it’s shorter. You can use your own query anyway but I would recommended this article for reading https://codex.wordpress.org/Data_Validation#Database
From the codex: wp_filter_kses should generally be preferred over wp_kses_data because wp_magic_quotes escapes $_GET, $_POST, $_COOKIE, $_SERVER, and $_REQUEST fairly early in the hook system, shortly after ‘plugins_loaded’ but earlier then ‘init’ or ‘wp_loaded’. The first set is then preferred. More of a question of, “is stripping slashes more secure than not?” They both use … Read more
No the sanitization is already done. Well the mysql_real_escape_string is done, it’s considered bad form to filter html on input. I personally think doing it on output kinda breaches DRY. If you did in WordPress I highly suspect somewhere else will do it again resulting in double html entities encoding. Also by the way, wpdb::insert … Read more
You’ll a need a real CSS parser like this one to filter the CSS. Regular expressions or simple string replacements are not safe enough.
For integers KSES has no special function. Use (int) or intval() or absint() See more: Data Validation – Integers
Uppercase characters are not blocked in usernames on single site setups. Uppercase characters ARE blocked in usernames on multisite setups. The wpmu_validate_user_signup function forces lowercase a-z and numbers 0-9 only.
is_email() will take the provided string( a email address) and run checks on it to ensure that it is indeed an email address and that the string has no illegal characters in it. It would simply not change anything in the string you provided but return either true if the string passes all the function … Read more
esc_html and esc_attr are near-identical, the only difference is that output gets passed through differently named filters ( esc_html and attribute_escape respectively). esc_url is more complex and specific, it deals with characters that can’t be in URLs and allowed protocols (list of which can be passed as second argument). It will also prepend input with … Read more
WordPress doesn’t provide any specific data validation functions for SUPERGLOBALS. I use the PHP filter_input function then escape it as I would any untrusted variable. $url = filter_input( INPUT_GET, ‘some_query_string’, FILTER_VALIDATE_URL ); echo ‘<a href=”‘. esc_url( $url ). ‘”>Click Me</a>’; The PHP filter input accepts: Validate filters Sanitize filters Other filters Additional Filter flags
In short: it is in dependence of your context, the data inside your editor. wp_kses() is really helpful, and you can define your custom allowed HTML tags. Alternative, you can use the default functions, like wp_kses_post or wp_kses_data. These functions are helpful in ensuring that HTML received from the user only contains white-listed elements. See … Read more