When getting user input to be stored on database, a good way to proceed is:
- Data validation: validate the data according whith the data you expect. For example: HTML string, number, email, URL, any text with no HTML, ect. Never trust on user input or client-side validation. You can make here also some sanitization, but it is not substitute of data validation and it is not substitute of data scaping.
- SQL escape: no explanation needed here I think. WorPress provide some functions and methods to perform this.
esc_sql
is the general function to prepare strings to be used in database queries. But is not always needed if you use wpdb class. For example, if using$wpdb->insert
and$wpdb->update
the data should be not scaped because it will be done for you.
If using $wpdb->query
, the best method to scape the query is using $wpdb->prepare
method. Additional scape methods are avalable in wpdb class; see this of how to use $wpdb->prepare
and this for data escape before database interaction.