WPDB secure custom form

When getting user input to be stored on database, a good way to proceed is:

  1. Data validation: validate the data according whith the data you expect. For example: HTML string, number, email, URL, any text with no HTML, ect. Never trust on user input or client-side validation. You can make here also some sanitization, but it is not substitute of data validation and it is not substitute of data scaping.
  2. SQL escape: no explanation needed here I think. WorPress provide some functions and methods to perform this. esc_sql is the general function to prepare strings to be used in database queries. But is not always needed if you use wpdb class. For example, if using $wpdb->insert and $wpdb->update the data should be not scaped because it will be done for you.

If using $wpdb->query, the best method to scape the query is using $wpdb->prepare method. Additional scape methods are avalable in wpdb class; see this of how to use $wpdb->prepare and this for data escape before database interaction.

tech