I’ve put together a custom meta box which has some input fields, that writes to the postmeta table using add_post_meta/update_post_meta. From doing some quick checks it appears that any data using this function is automatically sanitized to prevent SQL injections and the like.
Is this correct or should I be doing further sanitization on my inputs?