How to correctly escape query variables to be used in WP_Query

The function for the pre_get_posts action uses a WP_Query object (http://codex.wordpress.org/Plugin_API/Action_Reference/pre_get_posts)

When using functions such as get_posts or classes such as WP_Query and WP_User_Query, WordPress takes care of the necessary sanitization in querying the database. However, when retrieving data from a custom table, or otherwise performing a direct SQL query on the database – proper sanitization is then up to you.

Code Tuts+: Data Sanitization and Validation With WordPress

So in this case, you do not have to escape the query vars.

Related Posts:

  1. What characters do I need to escape in XML documents?
  2. What characters must be escaped in HTML 5?
  3. How can I selectively escape percent (%) in Python strings?
  4. How do I escape a single quote in jQuery?
  5. Escape Character in SQL Server
  6. How to escape apostrophe (‘) in MySql?
  7. Should HTML output be passed through esc_html() AND wp_kses()?
  8. How to prevent escaping when saving HTML code in an option value?
  9. esc_attr / esc_html / esc_url in echos
  10. When do I need to use esc_html()? [duplicate]
  11. what’s different between esc_attr, htmlspecialchars and htmlentities
  12. Allow all attributes in $allowedposttags tags
  13. When outputting a static string to the page, is it necessary to escape the output?
  14. How Flexible are the WordPress Coding Standards for PHPCS?
  15. why is esc_html() returning nothing given a string containing a high-bit character?
  16. How to properly escape a translated string?
  17. Translate a Constant while appeasing WordPress PHPCS
  18. Using esc_url() on a url more than once
  19. Do I need to escape get_theme_mod(‘url’) / (‘mail’) with esc_url?
  20. How to allow &nbsp with wp_kses()?
  21. Using esc_attr_e
  22. Why esc_html_() is not used on every text that has a translation (on Twenty Twenty One)?
  23. Escaping crashes my output
  24. How to safely escape the title attribute
  25. How to safely escape data that contains HTML attributes
  26. Can wp_strip_all_tags be used as a substitute for esc_url, esc_attr & esc_html?
  27. Echoing a URL to a link
  28. wp_kses_post escaping doesn’t appear to work as described?
  29. file_get_contents | escaping doesnt show the page
  30. Help about Escaping
  31. How to keep specific tag from an html string?
  32. Escaping Issues
  33. Escaping and Special Characters (e.g. &)
  34. Escaping get_option( ‘time_format’ ) is nesserary?
  35. How should esc_url be combined with trailingslashit?
  36. Correct way of using esc_attr() and esc_html()
  37. Illegal Escape Character “\”
  38. What does it mean to escape a string?
  39. Invalid escape sequence (valid ones are \b \t \n \f \r \” \’ \\ )
  40. Best Practice for PHP
  41. Difference between esc_url() and esc_url_raw()
  42. How to escape custom css?
  43. How to Use Wildcards in $wpdb Queries Using $wpdb->get_results & $wpdb->prepare?
  44. Should messages in WP_Error already be html escaped?
  45. Escaping built-in WP function return strings
  46. Passing Variable as URL Parameter — Security concerns?
  47. Rewrite Rule for Custom Page with Query Vars in URL
  48. WordPress query through Products variation stock [closed]
  49. set_query_var doesn’t seem to work on init hook
  50. Why should I escape translatable strings? and how shall i do that?
  51. esc_url not working within add_settings_field callback
  52. Do I need to use the esc_html() function on hard coded links?
  53. Determine WP_Query parameters from URL
  54. Rewrite rules and query for virtual page
  55. Passing array of strings to a SQL statement in a WordPress plugin
  56. Rewrite URL Parameter And Force ‘Pretty’ Permalink
  57. Taxonomy page template changing when using query variables
  58. Is it safe to use $_POST directly in my plugin instead of using admin-ajax.php to receive data from ajax?
  59. How Could I sanitize the receive data from this code
  60. Quotes being escaped inside wp_editor when saved with wp_kses_post
  61. When I re-save a post with [code] sections, the entities are double-escaped (> becomes > etc)
  62. wp_query not searching with apostrophe
  63. Rewriting get_next_posts_link() for custom loop
  64. Securing/Escaping Output of file content – reading via fread() in PHP
  65. add_filter(‘query_vars’) not working in custom template
  66. WordPress stripping away backslashes from HTML
  67. How to: wordpress job listing and candidates details
  68. Query arg not available on init
  69. Unexpected esc_html and esc_attr behaviour
  70. Integer based rewrite isn’t recognized for value of 1
  71. HTML escaping data with ajax requests
  72. should I escape a literal url added in functions.php
  73. Query_vars support in Rest API
  74. How to pass a variable to get_template_part that’s updated every time the template part is called?
  75. How to allow single quote with esc_html__() without sprintf()
  76. Redirect old query string URLs to new add_rewrite_rule URL
  77. Pass form input via url variable
  78. Add pagination to a template loaded by query variable
  79. Wrapping add_query_arg with esc_url not working
  80. wordpress post not showing my “” text>?
  81. WordPress add a rewrite rule to a page to accept a GET variable
  82. Custom query_var to get URL paramater not working
  83. Custom permalink question
  84. CPT year wise archive based on custom date Field
  85. Single Post (CPT) in two pages – Normal and Extended
  86. How to make MySQL search queries with quotes
  87. Escaping WP_Query tax_query when term has special character(s)
  88. Escape html structure in php
  89. site_url() returns with additional backslashes
  90. Rewrite URL to plugin file
  91. Allow iframe in custom meta box
  92. Need help with regex
  93. query_vars doesn’t return query string (trying to get data from $wpdb)
  94. esc_url, esc_url_raw or sanitize_url?
  95. how to escape alert/window.location.replace with variable
  96. Unable to Retrieve Query Parameters Passed in URL
  97. What is best practice when escaping the_title()?
  98. If necessary, how should wp_get_attachment_image() and its parameters be escaped?
  99. How can I use an alternate header when a query var is present
  100. Is it necessary to use escape functions on everything or is it only necessary if you’re taking input from a 3rd party? (End Users, APIs, Etc.)

Leave a Comment