Data Sanitization
Data sanitization is the process of cleaning user input to ensure it's safe for storage and processing, removing potentially dangerous content.
How it works
In WordPress, sanitization happens on INPUT (before storage) while escaping happens on OUTPUT (before display). The correct order is: wp_unslash() first (removes WordPress magic quotes), then the appropriate sanitize_* function for the data type.
In WordPress
WordPress provides type-specific functions: sanitize_text_field() for plain text, sanitize_email() for emails, esc_url_raw() for URLs (storage), absint() for positive integers, sanitize_file_name() for filenames, and wp_kses_post() for rich HTML content.
Code example
$name = sanitize_text_field(wp_unslash($_POST['name']));
$email = sanitize_email(wp_unslash($_POST['email']));
$url = esc_url_raw(wp_unslash($_POST['url']));
Related terms
WP HealthKit checks for Data Sanitization-related vulnerabilities automatically
Run a Free Audit