get_posts() SQL Injection

If not, how do I clean the incoming variables?

In most cases you don’t, get_posts calls WP_Query internally, and WP_Query performs some sanitization, namely via wpdb->prepare.

However, for what you’re trying to do, this is the wrong approach. Just use a standard search.php template with a standard post loop, and use input fields that have the same names as the parameters for WP_Query. WP will automatically filter as a result of them being added to the URL. There is no need for a custom page template with a custom query and custom URL parameters. It’s just unnecessary complexity, and double the database queries ( don’t forget the broken pagination, dealing with 404’s, etc )

Related Posts:

  1. $wpdb is get_results escaped
  2. Counting posts with argument without retrieving the posts
  3. How to protect a script execution on WordPress?
  4. SQL queries to another wordpress site
  5. Escaping a WPDB Object in One Shot
  6. How to parse row results from $wpdb -> get_results
  7. Fetch array with $wpdb
  8. get_results on large datasets
  9. $wpdb->insert() and Values for Datetime Columns?
  10. Theoretical Multi-Server WordPress Setup with Shared Users
  11. Change post status based on meta value
  12. Speed optimization of $wpdb->get_results
  13. WordPress insert NOW() in TIMESTAMP column returns all zeros
  14. How do you use prepare when asking for a list of id’s
  15. $wpdb prepare issue with mysql DATE_FORMAT
  16. How-To: wpdb Insert Record With Date
  17. How to pass NULL in where array for $wpdb->update
  18. Get random row from custom table
  19. store custom WP table names in a global variable
  20. wpdb prepare: passing varible number of fields as second argument
  21. I am not understandinhg $wpdb->prepare correctly
  22. Wpdb query for comment meta for current post
  23. How to Modify this $wpdb query to accept an array of post statuses
  24. Using WPDB class
  25. WPDB Update using Conditional Arrays
  26. $wpdb->get_results returns empty but value exists
  27. WP Sql query multiple where clause
  28. Problem displaying inserted form
  29. What is _transient_random_seed for?
  30. Get published posts and pages?
  31. wpdb get_results() and prepare when to use prepare?
  32. Syntax for $wpdb->prepare when searching in two columns
  33. Foreach loop using $wpdb not results from rows
  34. $wpdb->insert is running multiple times on page load, but only called once
  35. Confused by $wpdb->prepare
  36. How to get a value-only flat array from $wpdb->get_results when selecting a single column, without foreach()?
  37. How to Instantiate wpdb Object in New File
  38. How do you build a wpdb query dynamically?
  39. Would this WPDB setup result in potential race conditions?
  40. How to update a row in a table in WordPress
  41. What’s the proper way to add users to my site in order to test things?
  42. Optimizing WordPress Queries – Removing Group By ID
  43. External DB Connection [closed]
  44. Codex: Database Description: meaning of Cardinality
  45. Code only works every other time its run
  46. Can’t pass variable in wordpress wpdb->get_results
  47. WordPress db prepare
  48. How do I count columns on a custom WPDB query?
  49. how to get db values without using an loop with wpdb->get_results()
  50. Custom SQL query ORDER BY term_order
  51. Trouble inserting string containing quotations marks with wpdb in save_post hook
  52. How to run wp_insert_post() & wpdb on the background?
  53. Trying to get variable from WP table and toggle its value
  54. Set MySQL variables in WPDB
  55. get_results query with accent
  56. How to prepare an array of values with $wpdb
  57. Is querying wpdb directly and skipping actions provided by WP’s core “wp_update_post” a good idea?
  58. $wpdb->insert() doesnt work anymore
  59. $wpdb query outputs php code instead of executing it
  60. wpdb query not working
  61. Where can I see MySQL hostname and port for wp-config.php
  62. WordPress wpdb->insert returns int(0) => doesn’t insert anything, no errors!
  63. Using “->” in a page to exceute $wpdb query gives error
  64. Unknown column ‘siteurl’ in ‘where clause’ WPDB outside
  65. Exclude specific terms from all queries using posts_where or something similar
  66. $wpdb->get_results not returning an array
  67. query a newly created table using $wpdb
  68. Get all sticky posts from one user through user ID
  69. WPDB Query Question with Category Only
  70. wpdb result arrray inside an array
  71. $wpdb->num_rows doesn’t work
  72. How can I change my meta_query to SQL wpdb query?
  73. How capturate wpdb exceptions?
  74. Insert NULL value using prepare()
  75. “This message was added in version X” showing a later version than current one
  76. Prepare WPDB with meta key and meta value
  77. How to get row value from wpdb
  78. I am using wpdb but it not working perfectly.but if I dont use form data its work
  79. wont add form details to database or send me mail
  80. Create a stored procedure on plugin activation
  81. Get last element from wpdb as a string
  82. WPDP related functions look to work but they don’t
  83. Custom database query to validate data
  84. Update all fields of table with ON DUPLICATE KEY UPDATE command
  85. WordPress – wpdb query does not list same result as sql query
  86. Protect custom form from SQL injection
  87. why nl2br() is adding an extra ?
  88. What is the best practice to initialise $wpdb by loading wp-load.php?
  89. $wpdb->get_results in not an array
  90. How to make iteration on wpdb->update or query statement?
  91. How to add more custom fields in user meta table simultaneously
  92. get unserialized array without using get_option()
  93. SQL Query to select post title & post ID from a particular category
  94. Create Table Failed Column Date DateType
  95. Checking if meta_value exists for any user
  96. Jeditable Plugin working as it should – scope issue?
  97. Can you create a new wpdb that connects to an SQL (not MYSQL) database? [duplicate]
  98. query using wpdb in wordpress gets me no result
  99. Site going down due to slow queries
  100. How do I change the datetime format from ( ‘y-m-d’ ) to ( ‘d m y’ ) [closed]
tech