Data is quiet important part of any website whether its a content such as pages or posts or whether they are information passed via forms and stored in the database.
And hence a proper security checks are needed to be done whether these data are safe to output or safe to store.
Data Validation
Data validation is the process by which a data is validated whether its correct type or not. For example an email is validated by regular expression that checks
for the format of the email. An amount can be integer or numbers with decimal values. A post code can be combination of 4 digits numeric values and so on.
Data Sanitisation
Sanitisation whereas stands for the filtering or stripping out of all unneeded characters whether they are html tags, javascript etc.
So validation as well as santisation are equally important. The basic rule for secured data is to trust nobody and treat each and every bit of data with precaution before they are passed for storage in databse.
Wordpress provides list of functions to validate different data as:
- Integers
- HTML/XML
- JavaScript
- URLs
- Database
- Filesystem
- HTTP Headers
- Input Validation
- HTML
- Arrays
For example is_email($email), checks whether an email is valid or not. In case of invalid email, it returns false.
Similarly, wordpress provides list of functions to sanitise, that is to strip out all unwanted characters. For example sanitise_email() strips out all the whitespaces in email address by any chance the user had type some whitespaces when filling up an form.
More information about Wordpress data validation and sanitisation can be found here.
In conclusion, validation and sanitisation work in co relation with each other. Generally a data is validated first and then sanitised. And if they are needed to be stored in the database, after they are cleared after validation and
sanitisation, are stored in database.