I find Data Validation page on Codex a bit confusing. It highlights what all functions do but not how one differs from another and which one should be the right choice in a particular use case.
Like earlier, Rarst created an awesome chart to show the difference between WP_Query
, query_posts()
, get_posts()
and it was so much easy to understand the difference among them & I could point anyone to that chart to make them understand the difference.
Examples of different validation functions will help developers understand them better and not leave them confusing to an extent. Having it sounds like a good idea?
I think the common issue (that I myself have at times) with understanding data validation that we try to approach it as function-centric (which one to use), while it should be approached as process:
The confusing amount of function comes from abundance of possible combinations and still won’t cover all possibilities. While sanitization is covered, validation is usually something to you code yourself in context of your data.
The nature of data is different. Number is different from URL and from text and from HTML code and from user name, etc.
The purpose of sanitization is different. Data, going into database, is sanitized mostly to prevent SQL exploits. Data, going to screen, is sanitized mostly to prevent harmful JavaScript from running.
So while there are confusingly many functions, there is no simple logic to using them. That logic entirely depends on your specific data. You need to:
For solid overview of security basics in WordPress I recommend watching Theme & Plugin Security by Mark Jaquith.