I'm writing a WordPress plugin in which there is an input form for users with which they can add notes. I'm using WooCommerce update_meta_data
method to save notes in database.
Considering this code:
$note = isset($_POST['order_note']) ? sanitize_text_field($_POST['order_note']) : '';
$order->update_meta_data('_order_note', wp_json_encode($note));
$order->save_meta_data();
I know that update_post_meta
sanitizes data (SQL Injection) before inserting it into database but how about update_meta_data
?
Is above code safe to use for inserting data in database?
CodePudding user response:
update_meta_data
As far as I can see on the woo's update_meta_data
Source Code, there is not any sanitizing function getting called.
update_metadata
On the other hand, if you take a look at the wordpress update_metadata
Docs, there are two sanitizing functions getting called:
and
So to answer your question, yes I would use a sanitizing function too before I update the meta data using update_meta_data
.
In order to do that, sanitize_text_field
would usually get the job done fine, but if you want to be sure that you're using the right sanitizing function, then use sanitize_meta
Docs instead. That's what wordpress itself is using. Security-wise, I, personally, never had any problems using sanitize_text_field
nor did I see anybody else having any problems with it. The snippet you provided us with, looks safe to me.