I’m using wp_signon() to authenticate a user:
$data = array();
$data['user_login'] = $_POST['username'];
$data['user_password'] = $_POST['password'];
$data['rememberme'] = false;
$user_login = wp_signon( $data, true );
As you can see, I’ve done nothing to sanitize the user’s login and password. I was thinking of doing something like sanitize_user( $_POST['username'] ) and then maybe something similar with the password but am unsure if this is necessary.
Should I sanitize $_POST['username'] and $_POST['password']? If so, I’d be grateful if you could explain why it is necessary in this use-case.
Ref: http://codex.wordpress.org/Function_Reference/wp_signon
As a rule of thumb “TRUST NO ONE” but the
wp_signon()function use thewp_authenticatefunction, which sanitizes the user and trims the password for you.