Skip to main content
WP HealthKit

Data Sanitization

Data sanitization is the process of cleaning user input to ensure it's safe for storage and processing, removing potentially dangerous content.

How it works

In WordPress, sanitization happens on INPUT (before storage) while escaping happens on OUTPUT (before display). The correct order is: wp_unslash() first (removes WordPress magic quotes), then the appropriate sanitize_* function for the data type.

In WordPress

WordPress provides type-specific functions: sanitize_text_field() for plain text, sanitize_email() for emails, esc_url_raw() for URLs (storage), absint() for positive integers, sanitize_file_name() for filenames, and wp_kses_post() for rich HTML content.

Code example

$name = sanitize_text_field(wp_unslash($_POST['name']));
$email = sanitize_email(wp_unslash($_POST['email']));
$url = esc_url_raw(wp_unslash($_POST['url']));

WP HealthKit checks for Data Sanitization-related vulnerabilities automatically

Run a Free Audit
WordPress Data Sanitization — sanitize_text_field() and Friends | WP HealthKit