It’s a must practice to sanitize all data from user input before insert to database.
To escape unwanted characters, use the core WordPress core function sanitize_text_field():
$title = sanitize_text_field( $_POST['title'] );
update_post_meta( $post->ID, 'title', $title );
Behind the scenes, sanitize_text_field() does the following:
- Checks for invalid UTF-8
- Converts single less-than characters (<) to entity
- Strips all tags
- Removes line breaks, tabs and extra white space
- Strips octets