Tutorial by Examples

$title = sanitize_text_field( $_POST['title'] );

The returned value is intended to be suitable for use in a URL, not as a human-readable title. Use sanitize_text_field instead. $new_url = sanitize_title($title);

$sanitized_email = sanitize_email(' [email protected]! ');

$post_class = sanitize_html_class( $post->post_title ); echo '<div class="' . $post_class . '">';

$incfile = sanitize_file_name($_REQUEST["file"]); include($incfile . ".php"); Without sanitizing the file name an attacker could simple pass http://attacker_site/malicous_page as input and execute whatever code in your server.

$user = sanitize_user("attacker username<script>console.log(document.cookie)</script>"); $user value after sanitize is "attacker username"