2. Data Validation And Sanitization
Presented By: Rabin Shrestha
sun.ravi90@gmail.com

3. Overview
Definitions
Why Data Validation and Sanitization?
Difference between Data Validation and
Sanitization
Golden rules
Some helper functions in codex

4. Definitions
Data Validation: Data validation is to make
sure that we receive what we expect to receive
before saving it to database.
Data Sanitization: Make the data sane before
use i.e. before storing to the database or
echoing it to browsers(escaping)

5. Why Validate and Sanitize
Data?
Hackers can inject various script (sql
injection) or XSS(Cross-site Scripting)
<script>alert('hacked')</script>
<script>alert(document.cookie)</script>

6. Why Validate and Sanitize
Data?
Can break the output of the website
•Use of single quote, double quote can break the
output
Spread malware

7. Difference
Data Validation: If the data is valid we accept
it if not we reject it.
Data Sanitization: In contrast to data
validation, sanitization don‟t reject the whole
data but strips the evil tags and encodes the
tags before echoing it to browser.

8. Still confused??

9. Lets see this example
Source: http://devotepress.com

10. Remember Golden Rule
Rule no. 1: Never , Ever, Trust your users
Rule no. 2: Validate/sanitize all inputs and
escape all outputs
Rule no.3: Trust WordPress

11. What does trust Wordpress
mean?
Functions like the_title(),the_permalink(),
the_title_attribute(), the_content() are already
escaped by WordPress and are safe depending
upon context.
But custom data are not safe e.g
get_post_meta()

12. Some helper Escaping
functions
Esc_attr(): Escapes content to be contained
inside HTML attributes e.g, title, rel etc. Encodes
< > & “ „.
Esc_textarea(): Encodes text for use inside
<text area> element. Uses htmlspecialchars
function of PHP.

13. Some helper Escaping
functions contd..
This text contain <script
type="text/javascript">alert("XSS");</script>
here!
Esc_url(‘ $url’,(array)$protocols’): Sanitizes
url. Rejects url‟s that don‟t have one of the
provided whitelisted protocols.(defaulting to http,
https, ftp, ftps, mailto, news, irc etc)

14. Some helper Escaping
functions contd..
Esc_html():This function encodes < > & ” „
(less than, greater than, ampersand, double
quote, single quote), letting the browser render it
instead of interpreting it.
Esc_js(): Escape single quotes,
htmlspecialchar “ < > &. Intended to be used in
inline js. For example onclick=“do something”.

15. Some helper input validating
functions
Intval( $int ): Ensures the number is integer.
Absint( $int ): Ensures the number is non-
negative.
Sanitize_text_field(): Strips out extra white
space,tabs, line breaks and strips tags.

16. Some helper input validating
functions condt..
Wp_kses_post(): Sanitize content for allowed
HTML tags for post content.
wp_kses($string, $allowed_html, $allowed_
protocols):Only allowed html tags passed as
argument are accepted.

17. Some helper input validating
functions condt..
Is_email( $email ): Returns true if the email
address is valid.
Esc_url_raw(): Escapes url that are to be
saved to database.
Note: Esc_url is intended for output purpose
while esc_url_raw is intented for database
storage. Also esc_url doesnot encodes html
entities.

18. Sources
http://devotepress.com/coding/data-validation-
sanitization-wordpress-1/
http://devotepress.com/coding/data-validation-
sanitization-wordpress-2/
http://codex.wordpress.org/Data_Validation
http://wordpress.tv/2011/09/07/mark-jaquith-
jon-cave-brad-williams-plugin-security-
showdown/

19. Thank you!
Any Questions?