In WordPress Data Validation and Sanitization

In the WordPress or any program you are developing you should to verify and filtered the user inputs and data that are coming external code. For plugin security the data validation is the most important part. If any there is no validation or improperly validated the data it can be lead to SQL injection hacks, it can be exploits the data, and errors. A set of escaping functions WordPress features that you can use to verify that your data is escaped properly or not when being displayed to the screen. See the following list of the escaping functions follow a set naming standard, they makes it easy to identify what they are escaping the data. Below a figure shows that escaping function naming template.

  • esc_: For the escaping functions this prefix use.
  • attr: For escaping the context (attr, textarea, html, js, sql, url_raw, and url).
  • _e: For use the optional translation suffixes. The available suffixes are __ and _e.

For escaping data that contains HTML this esc_html() function is used. By this function encodes the special characters into the equivalent HTML entities. Those characters includes that are &, <, >, “, and ‘ as you can see:

<?php esc_html( $text ); ?>

For escaping HTML attributes this esc_attr() function is used. Whenever you need to display data inside an HTML element this function should be used:

For escaping the HTML <textarea> values this function use.
For escaping the HTML tag values this function use.

For escaping HTML <textarea> values this esc_textrea() function is used. Encode text for use in a <!–<textarea>–> form element here should be used this function as follows:

Uses of Function esc_textarea.
Uses of Function esc_textarea.

In WordPress has features also that a function for validating the URLs and this function called esc_url(). So this function should be used to the scrub the URL for illegal characters. The href is technically an HTML attribute it should be use the esc_url() function like bellow:

<a href=”<?php echo esc_url( $url ); ?>”>

Escapes the text strings in JavaScript this esc_js() function:


var bwar='<?php echo esc_js( $text ); ?>’;


Escapes the data for use in a MySQL query this esc_sql() function is use. It is really just a shortcut for $wpdb->escape()as you can see below:

<?php esc_sql( $sql ); ?>

For translating the escaped data the optional translation suffix ( __ or _e) is used. The __ only returns the escaped translated value and _e suffix will echo the escaped translated text.


//escapes, translates, and displays the text

esc_html_e( $text, ‘prowp-plugin’ );

//escapes, translates, but does NOT display

$text = esc_html__( $text, ‘prowp-plugin’ );


Let’s suppose If the data you are validating to be an integer then use the intval() PHP function to verify and validate it. By this intval() function return the integer value of a variable. The variable if a string, and therefore it is not an integer then it will return 0.

$variable = 71747;

$variable = intval( $variable );

WordPress uses another function for working with integers is the absint().It ensures that the result is a nonnegative integer:

$variable = 714714;

$variable = absint( $variable );

Some very useful sanitizing functions in WordPress also features. These functions should be used to sanitize any data prior to saving it in the database. The one function is sanitize_text_field(). Purpose of this function will remove all invalid UTF-8 characters, remove all HTML tags, line breaks, and extra white space and convert single < into HTML entities.

<?php sanitize_text_field( $text ); ?>

E-mail address can also sanitize by using sanitize_email(). By this function will strip out allcharacters that are not allowable in an e-mail address. See the following code:

<?php $sanitized_email = sanitize_email( ‘!’ );

echo $sanitized_email; //will


This sanitize_email() function removes the illegal characters and extra spaces from the e-mail address submitted as you can see. For processing and sanitizing untrusted HTML a very powerful function is wp_kses().In WordPress to verify that only allowed HTML tags and attributes can be submitted by users by this function can do it. You can avoid cross-site scripting (XSS) attacks through your code by defining allowed HTML tags. Consider the following example:

Allowed tags
Allowed tags

Here will the first step is to define an array of all HTML tags and attributes. Here in this example you are allowing the <strong> and <a> tags. Tag <a> is allowed to include the href and title attributes. And the Next, you build an $html variable to test out the function. The final step is to pass the $html string and $allowed_tags arguments to the wp_kses() function. The preceding example would display the following code:

<a href=”#”>link</a>. This is bold and <strong>strong</strong>

Have you noticed that the <b></b> tags have been completely removed. This basic example really shows the power of this function. Any time you need to allow users to input HTML code, you should always use the wp_kses() function to verify that only acceptable HTML tags and attributes are allowed.