When using sanitize_post_field(), if you set the fourth argument ($context) to db then it will make sue to sanitise the data for safe storage in the database. By default that parameter sanitises the data for display on the frontend, so it’s important to specify what type of sanitisation you require.
Thread Starter
Guido
(@guido07111975)
Hi Hugh,
But I don’t call sanitize_post_field() directly, it’s being used by wp_insert_post().
I stumbled upon this comment.. is this the proper way to do it?
Or should I not worry about this too much and let wp_insert_post() do it’s thing, without extra filters?
Note: I do sanitize all values already, before using wp_insert_post().
Guido
It looks like wp_insert_post() does, in fact, use sanitize_post_field() correctly to sanitise data for the database (see line 3073 in the function here: https://developer.wordpress.org/reference/functions/wp_insert_post/).
If your content may contain slashes, then yes – that solution is a good one. All you would need to do is add wp_slash() around the content you are passing through.
Thread Starter
Guido
(@guido07111975)
Great:
$postarr = sanitize_post($postarr, 'db');
Meaning I don’t have to add extra filters, such as wp_slash(), for escaping quotes and such, because all data goes through sanitize_post / sanitize_post_field. Right?
Guido
That sounds correct to me yes – you should be good to go by just using wp_insert_post() 🙂
Thread Starter
Guido
(@guido07111975)
That simplifies things for me, thanks Hugh!
Guido
