Never trust user’s inputs, even from admin or database.
Validation checks an input over a list of requirements.
in_array( mixed $needle, array $haystack, bool $strict = false ): bool
ctype_alnum( mixed $text ): bool
strlen( string $string ): int
...https://developer.wordpress.org/apis/security/data-validation/
Sanitizing cleans a input, removing / transforming all unwanted piece of data.
// For text inputs:
sanitize_text_field( string $str ): string
// Use specific sanitazing functions like for e.g.:
sanitize_email( string $email ): stringhttps://developer.wordpress.org/apis/security/sanitizing/
Escaping ouputs is the process of securing output data by stripping out unwanted data. It is best to do the output escaping as late as possible, ideally as data is being outputted.
esc_html( string $text ): string // will remove HTML tags
esc_url( string $url, string[] $protocols = null, string $_context = 'display' ): string
esc_attr( string $text ): string
esc_js( string $text ): string
// escaping with localization
esc_html_e( 'Hello World', 'text_domain' );
// can become ->
echo esc_html( __( 'Hello World', 'text_domain' ) );https://developer.wordpress.org/apis/security/escaping/
Source: https://developer.wordpress.org/apis/security/common-vulnerabilities/