do I need to sanitize a shortcode’s function input?

Of course you do have to sanitize it and escape it.

Otherwise any author/editor of the site will be able to perform any query on your database.

First of all you should never create SQL queries like you do in your code. Never concatenate the raw SQL with anything that is variable or comes from user.

You should use $wpdb->prepare for that.

So your code should look more like that:

$sql = "SELECT COUNT(meta_key) as count FROM {$wpdb->usermeta} WHERE meta_key = %s && meta_value = %s";
    $member_count = $wpdb->get_var( $wpdb->prepare( $sql, 'mepr-address-state', $atts[0] ) );

As you can see, there is also no point in getting all rows (there’s only one) and there’s no point in getting all columns (there also is only one).

That’s the escaping part that will save you from SQL injections.

But yes – most likely you should also put some validation in there – but it depends on what are the available values for that param.

Related Posts:

  1. In Which Contexts are Plugins Responsible for Data Validation/Sanitization?
  2. How to properly validate data from $_GET or $_REQUEST using WordPress functions?
  3. What is the difference between esc_html and wp_filter_nohtml_kses?
  4. What is the difference between strip_tags and wp_filter_nohtml_kses?
  5. array_map() for sanitizing $_POST
  6. Coding a plugin on WordPress; when should I sanitize? [duplicate]
  7. How to sanitize user input?
  8. WP_Editor – Saving Value into Plugin Option – Stripping HTML
  9. Prevent invalid or empty values from being saved to the database and retain the form field values upon error
  10. wordpress is adding a second backslash when I use addslashes
  11. Sanitize WordPress Array Input?
  12. Array/List Edit in Backend
  13. oneOf two possible objects in WP REST API?
  14. Sanitize and Save metabox values
  15. esc_url, esc_url_raw or sanitize_url?
  16. What process do you use for WordPress development? [closed]
  17. How do I create a custom role capability?
  18. What is the advantage of using wp_mail?
  19. Where to put third party PHP library?
  20. Add a new tab to WordPress Plugin install Listing
  21. Export data as CSV in back end with proper HTTP headers
  22. How to integrate a PHP webmail script into the backend of WordPress?
  23. Calling the widget id of a mult-instance widget from inside the widget?
  24. Do I need to call do_action in my plugin?
  25. WooCommerce get Shipping Class of product from either the product id or the order after order is completed
  26. Dequeue script, but still use wp_localize_script to pass vars
  27. Can I add pages to my custom menu via script?
  28. Replacing WordPress menu functionality with a plugin
  29. Programmatically Selecting Theme Based on URL
  30. Save user-specific options in WordPress admin
  31. Why is print_r returning $classObj->userObj in several places on site
  32. Is it possible to load plugin from console with core ?
  33. use __($str) to translate strings (symfony/twig)
  34. Plugin development: is adding empty index.php files necessary?
  35. Plugin base URL
  36. Database for development
  37. Customize multisite site creation with user data
  38. Adding plugin settings link upon activation
  39. How to create multiple Gutenberg blocks in one plugin
  40. Proper way to run wp_query from inside a plugin
  41. Buddypress function and global $bp question
  42. Custom plugin: Loop through taxonomy types and update columns for all types?
  43. How to add setting section in custom post type [closed]
  44. Get Current Menu Location inside Nav_Walker
  45. Maximum lifetime for nonce
  46. How to Display my HTML form in my Custom Plugin?
  47. Where to add hooks in a class
  48. Insert terms for custom taxonomy on plugin activation, or each page load (init hook)
  49. Custom GET Parameters In Plugin’s Admin Page
  50. Adding rewrite rule dynamically
  51. Incorporate small angular feature in my wordpress site
  52. Bootstrap doesn’t work on admin menu page-How to override wp-admin style?
  53. Use just a shortcode from another page
  54. How can I avoid conflicts between plugin and theme?
  55. How to control an elements classes from multiple Gutenberg sidebar controls?
  56. WordPress class, using add_action to call member function does not work
  57. random code at the end of file after plugin upload
  58. How Can I add Fields in wp-option table?
  59. Where do I put my add_action(… and add_filter(… and do I need to remove them?
  60. $wpdb->prepare with LIKE and sprintf
  61. ajax recursive calls on wordpress returning answers outsite the function scope
  62. Why in this archive page that call query_posts() function show only the last 10 posts?
  63. Quasi-custom API Call Plugin
  64. How can I show posts for a single category?
  65. Show content without a post
  66. WP ajax requests not stacking?
  67. In wordpress plugin wp_signon shows error
  68. Is it possible to load the css just on my plugin admin page?
  69. Problem with autoloader and namespaces
  70. How to create taxonomy without using register_taxonomy () function
  71. AJAX call returns ‘testtest0’ instead of ‘test’ – why?
  72. Get audio metadata on file upload
  73. Clean way to initialize plugin in newly-added site when plugin has been network activated?
  74. Loading Images from Javascript on the Front End
  75. How to deal with different jQuery versions?
  76. Can I attach a plugin via my add_filter callback contents?
  77. Custom payment method after payment user is logged out on thank you page
  78. The URL of images on my website changed after being set as featured image
  79. extraprops override existing props
  80. WordPress Favicon not Working For Images/Videos/PDFs
  81. converting a node.js project into a wp plugin
  82. Is “document loaded” different on admin side than public side?
  83. how to handle premium features in a wordpress plugin?
  84. Email content as comment
  85. Warning: Illegal string offset – on homepage
  86. Modify search form with plugin
  87. Organising and completing posts (mark as read and hide)
  88. When using an options array the Settings API isn’t creating the database record
  89. Displaying External Data – Not Posts
  90. the correct way to use options from settings page [closed]
  91. On one of my sites a file is shown as 404 but the file IS there
  92. I want to add post meta for picture thum during submit for revision
  93. How to synchronize an e-commerce site and a pharmacy management software?
  94. woocommerce features to add product along with link
  95. Extend WP_List_Table class – Edit wp_usermeta – WPPB.me Boilerplate – Action error
  96. Fetch Custom Woocomerce filed data and check the data avialble in Wp-user table as nicname or username using function.php
  97. How to get locale within WP REST Request?
  98. How to add extra EXIF data when images are uploaded?
  99. How to boost WP custom post REST API GET queries by custom taxonomies
  100. I want to redirect user to an amazon product page from my wordpress website when they add product to there cart [closed]