Title: Does update_post_meta() use sql prepared statements? Last modified: August 22, 2016 --- # Does update_post_meta() use sql prepared statements? * Resolved [agm285](https://wordpress.org/support/users/agm285/) * (@agm285) * [11 years, 3 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/) * I have a custom-post field in which I want to allow user to save html code. ( The post defines an upcoming concert, and paypal supplies the pay button code. I want the client to simply paste that into the concert form.) If I sanitize the field before saving I lose the tags. * The doc says to be careful about saving user input. Validate and sanitize. It also says (I recall seeing) that you should use prepared statements when saving data. Does that apply to calls to update_post_meta, which is what I’m using? ( How would I do that?) Or is it referring only to any new functions I create that make calls to the database? * And is it less important when we’re talking about the dashboard, as opposed to public comments on the site? Viewing 4 replies - 1 through 4 (of 4 total) * [Jon (Kenshino)](https://wordpress.org/support/users/kenshino/) * (@kenshino) * Lord Jon * [11 years, 2 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/#post-5836327) * What you should do is to sanitise the field using wp_kses. (Allows you to define the allowed html tags) * If you want to allow the standard tags that the WP Editor (TinyMCE) accepts, you can use wp_kses_post * Thread Starter [agm285](https://wordpress.org/support/users/agm285/) * (@agm285) * [11 years, 2 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/#post-5836328) * It’s not really so much a question of preventing certain tags. I’m wondering whether the string entered in the field is stored in the database using a prepared statement. If not, I don’t think preventing certain tags is going to make it safe! * On the other hand, this is just a text entry. Maybe injection attack doesn’t work here. * [catacaustic](https://wordpress.org/support/users/catacaustic/) * (@catacaustic) * [11 years, 2 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/#post-5836329) * As it says on the codex page for [update_post_meta()](http://codex.wordpress.org/Function_Reference/update_post_meta): * > The new value of the custom field. A passed array will be serialized into a > string.(this should be raw as opposed to sanitized for database queries) * So any values that you pass to it do not need to be escaped or serialized or anything else. Just pass in the values and WordPress will deal with it. * Thread Starter [agm285](https://wordpress.org/support/users/agm285/) * (@agm285) * [11 years, 2 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/#post-5836331) * Thanks! Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Does update_post_meta() use sql prepared statements?’ is closed to new replies. ## Tags * [database](https://wordpress.org/support/topic-tag/database/) * [update_post_meta](https://wordpress.org/support/topic-tag/update_post_meta/) * [validation](https://wordpress.org/support/topic-tag/validation/) * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 4 replies * 3 participants * Last reply from: [agm285](https://wordpress.org/support/users/agm285/) * Last activity: [11 years, 2 months ago](https://wordpress.org/support/topic/does-update_post_meta-use-sql-prepared-statements/#post-5836331) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics