In situations like this always escape while creating the string and store the value in a variable that is a postfixed with _escaped, _safe or _clean.
So instead of $variable do $variable_escaped or $variable_safe.
↑ Top ↑ It is sometimes not practical to escape late.
Word Press thankfully has a few helper functions we can use for most of what we’ll commonly need to do: esc_html() we should use anytime our HTML element encloses a section of data we’re outputting.
wp_kses() can be used on everything that is expected to contain HTML.
If it did, we’ll save an empty value to the database.
Otherwise, we’ll save the properly validated zipcode.
↑ Top ↑ We know that validating, sanitizing and escaping can be a complex topic; we’ll add some specific case studies and frequently asked questions here as we think they might be helpful.
Q: Doesn’t a function like WP_Query handle sanitizing user input before running a query for me? A: For maximum security, we don’t want to rely on WP_Query to sanitize our data and hope that there are no bugs or unexpected interactions there now or in the future.Note that we could go even further and make sure the the zip code is actually a valid one based on ranges and lengths we expect (e.g.111111111 is not a valid zip code but would be saved fine with the function above).There are several variants of the main function, each featuring a different list of built-in defaults.A popular example is wp_kses_post(), which allows all markup normally permitted in posts.You can of course roll your own filter by using wp_kses() directly.