[FIXED] Is values passed to WooCommerce update_meta_data method fully sanitizing?

Issue

I'm writing a WordPress plugin in which there is an input form for users with which they can add notes. I'm using WooCommerce update_meta_data method to save notes in database.

Considering this code:

$note = isset($_POST['order_note']) ? sanitize_text_field($_POST['order_note']) : '';
$order->update_meta_data('_order_note', wp_json_encode($note));
$order->save_meta_data();

I know that update_post_meta sanitizes data (SQL Injection) before inserting it into database but how about update_meta_data ?

Is above code safe to use for inserting data in database?

Solution

update_meta_data

As far as I can see on the woo's update_meta_data^{Source Code}, there is not any sanitizing function getting called.

update_metadata

On the other hand, if you take a look at the wordpress update_metadata^Docs, there are two sanitizing functions getting called:

• sanitize_key^{Source Code}

and

• sanitize_meta^{Source Code}

---

So to answer your question, yes I would use a sanitizing function too before I update the meta data using update_meta_data.

In order to do that, sanitize_text_field would usually get the job done fine, but if you want to be sure that you're using the right sanitizing function, then use sanitize_meta^Docs instead. That's what wordpress itself is using. Security-wise, I, personally, never had any problems using sanitize_text_field nor did I see anybody else having any problems with it. The snippet you provided us with, looks safe to me.

Answered By - Ruvee