Skip to main contentThis guide documents the functions available in WordPress and PHP for sanitization, validation, and escaping, along with best practices for other functions.
Escaping vs Sanitizing
Escaping and sanitizing are two different things, and it’s important to understand the difference between them.
To sanitize data means to clean it, to remove any harmful or unwanted data. For example, if you have a string that should be a number, you would sanitize it by removing any non-numeric characters. This ensures that the data is safe to be stored in the database and used in further processing.
To escape data means to make it safe to be output to the browser. Let’s say I’m outputting a variable and I don’t expect any HTML to be present in it. I would escape the data to ensure that any HTML is rendered as text, rather than being interpreted as HTML. This is vital to prevent attacks. For example, if a user enters a comment with a <script> tag, and that comment is output to the page without being escaped, the script will be executed.
Sanitization Functions
WordPress provides a number of functions that can be used to sanitize data before further processing, and to make data safe to be inserted into the database.
You can check out a list of available functions and read more about them here.
Validation
Validation is the process of ensuring that data is in the correct format. For example, if you have a form field that should contain an email address, you would validate the data to ensure that it is a valid email address.
You can check out a list of available functions and read more about them here.
Escaping Functions
Escaping is the process of securing output by stripping out unwanted data, like malformed HTML or script tags, preventing this data from being seen as code. This helps protect against Cross Site Scripting (XSS) vulnerabilities.
WordPress provides several different functions that escape strings for use in different contexts.
You can check out a list of available functions and read more about them here. 