Who is responsible for data sanitization in WordPress development?

Yes, WordPress will sanitise data on its way to the database, so long as you use the APIs.

If you’re using the wpdb object however you’ll need to use the prepare method to sanitise. I recommend against writing SQL queries as it bypasses object caches etc, but if you must write your own SQL, use wpdb to prepare and execute it

For calls such as WP_Query, get_posts, add_post_meta etc etc sanitisation occurs

Note that this is purely DB sanitisation, any additional sanitisation or validation you require, such as trimming trailing spaces, validation of URLs, stripping tags, escaping, etc, must all be done in your code

Related Posts:

  1. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  2. Is sanitize_text_field() is enough to save to DB?
  3. What is the proper way to validate and sanitize JSON response from REST API?
  4. What’s the proper way to sanitize checkbox value sent to the database
  5. Safely store code(html/js..) into database
  6. MySQL Database User: Which Privileges are needed?
  7. Database synchronization between dev/staging and production
  8. How can I make updates to a site, on a development copy, but then move updates back without overriding live site’s evolving database?
  9. Safest way to bulk delete post revisions
  10. How can I make a WordPress database portable and url independent?
  11. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  12. is_email() VS sanitize_email()
  13. Why does $wpdb return strings for mysql integer values?
  14. Dealing with Many Meta Values, 30+
  15. When is it appropriate to create a new table in the WordPress database?
  16. Is it possible to switch the data layer within WordPress?
  17. What is the most secure way to store post meta data in WP?
  18. store simple data in get_option()
  19. Default WordPress settings API data sanitization
  20. How to delete outdated, wrongly sized images in _wp_attachment_metadata?
  21. Have multiple local wordpress installs share a wp-content folder and database
  22. How to display data from custom table in wordpress database?
  23. How to implement content from external database into WordPress text page? [closed]
  24. Cloning and syncing a WordPress website
  25. What actions affect files, DB, or both?
  26. Using two different DB users on one WP install
  27. Add search Value to wp_list_table pagination
  28. Is $wpdb->prepare escaping to much? How to use it properly?
  29. How does WordPress store data?
  30. How to fix unchanged URLs in Database after running serialized search and replace script?
  31. Merging WordPress posts from different databases
  32. Should non-WordPress data get its own DB?
  33. vs WordPress Security
  34. How do I properly update the WordPress database password?
  35. Search and replace special characters (å,ä,ö) for image attachments only in database
  36. Permit Login if table row exists
  37. data (html) migration to posts
  38. Localhost to Staging to Development Dynamic WP-CONFIG
  39. Setup 3 Sites To Connect To 1 Database and Share Data
  40. Unable to sanitize in customizer and escape in theme without removing ability for user to use “< br >” to insert a line break
  41. WordPress and user security
  42. Uknown meta entries in wp_postmeta
  43. Is it necessary to do validation again when retrieving data from database?
  44. What can I do when an outside party hacks into my weblog and changes my display name?
  45. creating new field on mysql
  46. Why user_pass column in wp_users table is varchar(64)
  47. Using $wpdb | checking entered email against existing emails in db
  48. Can local WordPress installs share /wp-content/ folder and database?
  49. How WordPress sanitizes post content on save? Or it doesn’t?
  50. WordPress security [closed]
  51. SymmetricDS in dev + prod workflow?
  52. Secure way to use name_save_pre?
  53. WordPress Database – wp_usermeta and the correct number of session_tokens rows
  54. Insert NULL value using prepare()
  55. Where is the HTML-handler part in the wpdb class?
  56. A WP dev site that displays content from a live site’s database but cannot write to wp_posts?
  57. WPCLI search and replace in a particlar site dir effect another site-dir
  58. Merging development site with live site
  59. spambot registering without providing email or password, bypassing registration process
  60. One WP Database outside localhost and two connections
  61. Hash user emails in database?
  62. Get id from database
  63. Share WordPress Database
  64. MySQL Database User: Which Privileges are needed?
  65. how to sanitizing $_POST with the correct way?
  66. Can I have multiple primary keys in a single table?
  67. Data sanitization: Best Practices with code examples
  68. How to create bulk page and content? [closed]
  69. The revisions table in my database is at 70% capacity and growing. What should I do?
  70. WordPress for a very large website
  71. WP_list_table bulk_action get edit and delete
  72. stdObject stored in database. How does one convert it to usable format?
  73. I have a table I created, how do I make a form for a user to filter the data?
  74. Does WordPress ever need multiple databases?
  75. Why are no posts showing despite my apparently correct DB restoration?
  76. Show last modified date of database
  77. What generates these very slow postmeta queries? [closed]
  78. How to scan barcode and store data into a database [closed]
  79. Fetching values from database for select box
  80. fastest replacement DB
  81. Have working sql query… trying to adjust it to use $wpdb
  82. Best host for running large mem and processor intensive WordPress sites?
  83. Strange characters added to the database
  84. Image link issues after importing a database backup to my local web server
  85. multiple wordpress installs w/shared user database but separate content databases
  86. Updating seperate database when post attachment is changed
  87. add featured image dialog box disappear
  88. How to get a list of articles related to a particular category from my other WordPress website?
  89. /wp-admin not accessible after migrating to local host (no plugin issue)
  90. set_transient fails if the value has more than 60.000 characters
  91. WordPress how do I echo SUM from a column of a MySQL table by user id AND type_operation
  92. How can I get $wpdb to show MySQL warnings?
  93. About wp database hooks (error establishing connection)
  94. Create Tables in WordPress
  95. WordPress Failed to Login (DB Error)
  96. Check if values exists DB
  97. ERROR: “Table Prefix” must not be empty
  98. How do you build a database-centric site in WP?
  99. WordPress: Interact with Database Query Data and Login
  100. Weird WP -Cli Error Connection Refused