How Could I sanitize the receive data from this code

<form id="tellastory" method="post" action="">
    <label for="fullname">Full Name </label>
    <input id="fullname" name="fullname" type="text" maxlength="255" value=""/> 
    <label for="title">Title </label>
    <input id="title" name="title" type="text" maxlength="255" value=""/>
    <label for="title">Message </label>
    <textarea id="editor" name="editor" rows="20" cols="50"></textarea>
    <input type="hidden" name="form_id" value="123456" />       
    <input id="saveForm" type="submit" name="submit" value="submit" />
</form>
<?php
$storyteller_user_id = "3";  //your guest user id here
//$stories_category = "3";  //your stories category id here
$key = "storyteller";

if ($_POST['form_id']=="123456") {
    $my_post = array(); 
    $my_post['post_title'] =$_POST['title'];
    $my_post['post_content'] = $_POST['editor'];
    $my_post['post_status'] = 'publish';
    $my_post['post_author'] = $storyteller_user_id;
    $my_post['post_category'] = array($stories_category);
    $post_Num = wp_insert_post( $my_post );
    add_post_meta($post_Num, $key, $_POST['fullname']);
}
?>

Related posts

Leave a Reply

1 comment

  1. Sanitization and escaping is always heavily context-dependent and I’m not an expert in this field, anyway I did some ‘research’ myself recently so I’ll try to supply you with some general guidelines until someone with more insight will come and offer the ultimate in-depth answer (which I’ll be eager to read too.)

    Codex article on Data Validation is a good starter. I believe esc_html() is the most used method for output.

    There also seems to be a newcomer to WP escaping family in WordPress 3.1 – esc_textarea().

    WordPress is trying to make your life easier as always – so be sure to check for existing context-specific functions like sanitize_title() or sanitize_user().

    I recommend you do some source-diving and go thru functions in wp-includes/formatting.php to learn more about various methods and how they are constructed.

    There has been a similar discussion on wp-hackers recently – definitely worth reading:
    WP-HACKERS: Saving input from untrusted users. I will dare to quote Andrew Nacin’s input on this one:

    Generalizing here: sanitization should
    be done on save, and escaping on
    display.

    So you’ll want to run kses,
    absint, esc_url_raw, sanitize_text_field, what have you, on save. Then, use esc_url,
    esc_html along with texturization or whatever else you need, what have you, on output.
    There may be use cases for running
    kses on display. We do it in some
    instances. But as long as the data is
    safe going in, it’s going to be safe coming out. (And if it isn’t, then
    you have a larger problem.)

    Still want more? ๐Ÿ˜‰
    The Code Cave: WordPress Security รขย€ย“ a plugin done right
    Smashing Magazine: Keeping Web Users Safe By Sanitizing Input Data

    Have a nice and secure day.