I am receiving user input via ajax. I am using stripslashes, and then sending to the database through Wordpress insert function.

When I display the data on screen, I am using htmlentities

I also need to in some circumstances return the data back to the user in an edit screen. Do I need to sanitize the data before putting the text back in a text box for edit.

I am receiving user input via ajax. I am using stripslashes, and then sending to the database through Wordpress insert function.

When I display the data on screen, I am using htmlentities

I also need to in some circumstances return the data back to the user in an edit screen. Do I need to sanitize the data before putting the text back in a text box for edit.

• plugin-development

Share Improve this question asked Oct 17, 2019 at 14:24 StripyTigerStripyTiger 27711 silver badge66 bronze badges 1

• 1 "sanitize before putting" - yes and no, it depends on your code.. Or you. But sanitization should be done when receiving/saving an input, while escaping should be done when outputting the data. And when escaping in form fields, one can use esc_attr() or esc_textarea(). – Sally CJ Commented Oct 17, 2019 at 16:16

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 1

Do I need to sanitize the data before putting the text back in a text box for edit.

You "sanitize" data that you are receiving. Then "escape" it when outputting.

Depending on your exact code (which you did not provide any examples of), you may want to do more than stripslashes() (or replace that altogether). WP has several built in functions for handling various kinds of data. For example:

// Use the "sanitize" functions instead of stripslashes()
$sanitized_username = sanitize_user( $_POST['user_login'] );
$sanitized_email = sanitize_email( $_POST['user_email'] );
$sanitized_fname = sanitize_text_field( $_POST['first_name'] );
$sanitized_lname = sanitize_text_field( $_POST['last_name'] );
// Now you can write these to the db or use them.

// "Escape" data when outputting
echo '<input class="' . esc_attr( $my_class ) . '" name="some_input" value="" />';

echo '<a href="' . esc_url( $my_url ) . '" />';

These are just a few examples - there are quite a few different functions within WP itself for proper data handling.

Also, you don't need to escape data if you know for certain what it is. In your case, you're pulling it from a database, so you shouldn't necessarily trust it as 100% safe. But if you're outputting something that's contained in a variable but the variable is set in the code (i.e. you're not pulling it from an untrusted source), then you don't need to escape it.