Is Values Passed To WooCommerce Update_meta_data Method Fully Sanitizing?

I'm writing a WordPress plugin in which there is an input form for users with which they can add notes. I'm using WooCommerce update_meta_data method to save notes in database.

Considering this code:

$note = isset($_POST['order_note']) ? sanitize_text_field($_POST['order_note']) : '';
$order->update_meta_data('_order_note', wp_json_encode($note));

I know that update_post_meta sanitizes data (SQL Injection) before inserting it into database but how about update_meta_data ?

Is above code safe to use for inserting data in database?




As far as I can see on the woo's update_meta_dataSource Code, there is not any sanitizing function getting called.


On the other hand, if you take a look at the wordpress update_metadataDocs, there are two sanitizing functions getting called:


So to answer your question, yes I would use a sanitizing function too before I update the meta data using update_meta_data.

In order to do that, sanitize_text_field would usually get the job done fine, but if you want to be sure that you're using the right sanitizing function, then use sanitize_metaDocs instead. That's what wordpress itself is using. Security-wise, I, personally, never had any problems using sanitize_text_field nor did I see anybody else having any problems with it. The snippet you provided us with, looks safe to me.