The difference between data validation and data sanitisation

Data validation and data sanitisation are two important concepts for WordPress plugin developers to understand.

Both techniques are used to ensure the quality and security of the data that is processed and stored by a WordPress plugin.

By using these techniques, plugin developers can help to prevent errors and vulnerabilities, and provide a better user experience.

What is data validation?

Data validation is the process of checking the data that is submitted by users or external sources to make sure it is correct and in the right format.

For example, if a WordPress plugin allows users to submit a phone number, data validation would be used to ensure that the phone number is in the correct format (e.g. 04########) and contains only the expected characters (e.g. digits 0-9).

Data validation is important because it helps to prevent invalid data from being stored in the database, which could cause errors.

Data validation is often done using a regular expression and a PHP function like preg_match(), for example:

function validate_phone_number($phone) {
    $pattern = '/^04\d{8}$/';
    return preg_match($pattern, $phone) === 1;
}

In this example, the validate_phone_number() function uses a regular expression to match the phone number against the expected format (e.g. 04########).

If the phone number is in the correct format, the function returns true, otherwise, it returns false

What is data sanitisation?

Data sanitisation, on the other hand, is the process of cleaning the data to make it safe for use.

This involves removing any potentially harmful or malicious content from the data, such as HTML tags or JavaScript code.

Data sanitisation is important because it helps to prevent security vulnerabilities, such as cross-site scripting attacks, by ensuring that the data does not contain any harmful content.

For example, if a WordPress plugin allows users to submit a comment on a blog post, data sanitisation could be used to remove any HTML tags from the comment to prevent cross-site scripting attacks.

This can be done using the PHP function strip_tags(), for example:

function sanitize_comment($comment) {
    return strip_tags($comment);
}

In this example, the sanitize_comment() function uses the strip_tags() function to remove any HTML tags from the comment. This cleans the comment and makes it safer to display on the web site.