I'm writing a WordPress plugin in which there is an input form for users with which they can add notes. I'm using WooCommerce update_meta_data method to save notes in database.
Considering this code:
$note = isset($_POST['order_note']) ? sanitize_text_field($_POST['order_note']) : '';
$order->update_meta_data('_order_note', wp_json_encode($note));
$order->save_meta_data();
I know that update_post_meta sanitizes data (SQL Injection) before inserting it into database but how about update_meta_data ?
Is above code safe to use for inserting data in database?
update_meta_dataAs far as I can see on the woo's update_meta_dataSource Code, there is not any sanitizing function getting called.
update_metadataOn the other hand, if you take a look at the wordpress update_metadataDocs, there are two sanitizing functions getting called:
and
So to answer your question, yes I would use a sanitizing function too before I update the meta data using update_meta_data.
In order to do that, sanitize_text_field would usually get the job done fine, but if you want to be sure that you're using the right sanitizing function, then use sanitize_metaDocs instead. That's what wordpress itself is using. Security-wise, I, personally, never had any problems using sanitize_text_field nor did I see anybody else having any problems with it. The snippet you provided us with, looks safe to me.