WPDB secure custom form

When getting user input to be stored on database, a good way to proceed is:

  1. Data validation: validate the data according whith the data you expect. For example: HTML string, number, email, URL, any text with no HTML, ect. Never trust on user input or client-side validation. You can make here also some sanitization, but it is not substitute of data validation and it is not substitute of data scaping.
  2. SQL escape: no explanation needed here I think. WorPress provide some functions and methods to perform this. esc_sql is the general function to prepare strings to be used in database queries. But is not always needed if you use wpdb class. For example, if using $wpdb->insert and $wpdb->update the data should be not scaped because it will be done for you.

If using $wpdb->query, the best method to scape the query is using $wpdb->prepare method. Additional scape methods are avalable in wpdb class; see this of how to use $wpdb->prepare and this for data escape before database interaction.

Related Posts:

  1. form $_post action value gets truncated after it passes through two forms
  2. Passed variable gets undefined variable error on insert on next page
  3. Putting form result in my database
  4. How to return number of found rows from SELECT query
  5. Can i use php sql functions instead of $wpdb?
  6. How to correctly submit a search form and display the result in an independent page
  7. $wpdb->delete column values IN ARRAY()?
  8. Custom query to get post names beginning with a digit
  9. WordPress get pagination on wpdb get_results
  10. How to create and work with custom data / tables (i.e., for arbitrary data)?
  11. Ajax $wpdb not returning table data
  12. Converting MYSQL to WordPress $WPDB
  13. Why is variable not working on custom sql query using wpdb?
  14. Show MySQL errors that occur when I excute $wpdb->insert()
  15. Can’t get wp_insert_post to work
  16. WSoD being caused by this piece of code
  17. I want to select the from values from database in WordPress? [closed]
  18. Update results, Before deleting the related category [closed]
  19. wp query foreach deleting record returning only first or last item
  20. Database query works fine outside WordPress
  21. Using $wpdb (WPDB class) ‘replace’ with multiple WHERE criteria problem
  22. $wpdb->insert() does not Insert record in a table
  23. Help with a $wpdb MySQL Query
  24. Custom array from a query only write the last row of the query
  25. $wpdb returns duplicate posts
  26. Mixing variables into an array when inserting values
  27. Use $wpdb or other PHP script method to find/replace in WP database
  28. How can I add a new row in a separate database when someone registers via WordPress?
  29. Basic wpdb update question
  30. I can’t update my data through $wpdb
  31. Output: “Array”
  32. How to use mysql LIKE with wpdb?
  33. Submitting a form, using Ajax, to run a SQL Select query based on user input from the form
  34. How do I prepare strings for insertions as values into a MySQL table?
  35. How to use AJAX in WordPress in MYSQL query?
  36. Why won’t this wpdb get_results query return results?
  37. Adding data to custom wordpress database table
  38. Add row to custom database Table and delete all rows older than 1 day
  39. select a single val though a table in wordpress
  40. populate select options from extra mysql table data
  41. Query the links Database
  42. MySQL Query Returns Array () In Shortcode
  43. Using Ajax to submit a form, and run a SQL Select query based on user input from the form
  44. Passing in MySQL prepare statement parameter separately throwing error
  45. Convert a column of a table containing an Array as response in HTML
  46. Database SQL query error
  47. MYSQL TIMESTAMP when adding DATE_FORMAT then the output is blank, PHP conflict?
  48. Conditional formatting on data fetched from MYSQL
  49. What is the correct way to search 3 custom fields only in WordPress?
  50. Using wpdb to connect to a different database is not working
  51. Insert data from form to database
  52. Rewrite SQL query as a prepared statement and use in foreach loop
  53. Advanced WordPress SQL Query
  54. MySQL query in WordPress with AJAX
  55. Processing forms with php to wordpress database
  56. How to set up an auto delete post?
  57. MySQL queries in WordPress
  58. Using the same shortcode to show any table from the database
  59. MySQL database migration to WordPress
  60. How to pass username into form that sends data to database
  61. Custom form that stores data in mysql database
  62. Error resetting database index using ALTER TABLE in $wpdb->query
  63. How can I update a value of a field depending on outside source?
  64. Can’t insert into a database wordpress
  65. MySQL “Or” Condition
  66. Transaction when using WP functions rather than vanilla SQL?
  67. Has anyone tried putting PHP ActiveRecord on WordPress?
  68. Handling error states with admin_post
  69. How to merge local and live databases?
  70. WordPress 3 – how are passwords stored and how do I compare to them?
  71. How to select WooCommerce products by post_meta and order them
  72. Any possible way to make $wpdb->get_results() return anything else than array?
  73. Remove one value in dismissed_wp_pointers?
  74. How can I save unique user data on my site? [closed]
  75. Post + form + action + results on the same page
  76. Using custom tables for old posts
  77. “operation successful” message
  78. Moving wordpress site from localhost to live server using GoDaddy cPanel
  79. How does WP work in conjunction with a web server?
  80. Location of core code for database connection and get_header
  81. Wpdb->insert() doesn’t insert new row after the last one
  82. WordPress and MySQL: trying to print data using PHP from user_meta custom field data
  83. Form Submission Not Working In Custom Theme
  84. How to get specific attribute from DB
  85. Hide posts if user is added to it WP_query
  86. PHP -> SQL Query with Summing
  87. How to insert wp_users ->user login name to wp_terms when a new user registering?
  88. $wpdb->get_results breaking page?
  89. Get the id of the row from database on click of a button [closed]
  90. Display Results of SQL Query on WP site
  91. PHP Warning: mysqli_query(): after updating my websites php from 5.6 to 7.2
  92. PHP multiple forms, same page, isset($_POST[]) not working?
  93. How to display MySQL table data which is stored as an array?
  94. How do I stop my form from adding code to current page URL instead of re-directing. Been stuck for days
  95. 403 Forbidden WordPress Database Results
  96. Post from front end form to post_meta
  97. Accessing values entered via form – try again
  98. Nonce fail after second submit attempt
  99. Let users register weight each day and save it in DB
  100. Fetching wpdb data from a php file seems to break?