You don’t have to do anything. On WP load: ‘init’ hook -> kses_init() -> kses_init_filters() Later: wp_insert_post() -> sanitize_post() -> sanitize_post_field() -> ‘content_save_pre’ -> wp_filter_post_kses() Similarly for post titles, comment text etc. Conclusion: wp_insert_post() is very sanitized. 🙂
Looking at the is_email() functionality on trac, it looks like you don’t need to sanatizie as it’s just string testing. I would even go so far as to say that if this function returns true, you wouldn’t need to sanitize it before sending it into the database.
This codex page explains it pretty well I think. The most important and commonly used function is probably esc_attr. Take this example: <a href=”https://wordpress.stackexchange.com/questions/48660/<?php print $author_url; ?>” title=”<?php print $author_name; ?>”> <?php print $author_name; ?> </a> If $author_name contains a ” character you get your attribute closed, and if that character is followed by onclick=”do_something();” … Read more
Here’s a way to do it with PHP’s array map function: // Good idea to make sure things are set before using them $tags = isset( $_POST[‘tags’] ) ? (array) $_POST[‘tags’] : array(); // Any of the WordPress data sanitization functions can be used here $tags = array_map( ‘esc_attr’, $tags );
There are two concepts here: validation – making sure data is valid, i.e. an integer is an integer, a date is a date (in the right format etc). This should be done just before saving the data. sanitisation – making the date safe for its use in the current context (e.g. escaping SQL queries, or … Read more
You are almost there. The function you need is sanitize_title_with_dashes( $title )
If the type of each of your input variables is a string and you want to sanitize them all at once, you can use: This will sanitize your $_GET and $_POST arrays. Seen here: PHP -Sanitize values of a array