I can’t find a function shipped with WordPress that does this, so I created my own: function esc_sql_name( $name ) { return str_replace( “`”, ““”, $name ); } You can use it like this: $escaped_name = esc_sql_name( $column_name ); $sql = $wpdb->prepare( “SELECT * FROM example WHERE `$escaped_name` = %s”, $foobar ); Reference: MySQL documentation … Read more
Adding scripts directly to the content is not a good idea. You can disable escaping of content, but that is even a worse idea. Here we have a couple of solutions. Using a plugin The PHP Code Widget allows you to add almost anything as a widget. If you have some text widgets, you can … Read more
Please try using (blank space) instead of \s and . instead of \w For further details on supported operators and characters please check this link: https://dev.mysql.com/doc/refman/5.7/en/regexp.html
I think I have figured out the problem, though I have yet to solve it. I am running the shortcode in a WP Types custom WYSIWYG field. The shortcode works perfectly everywhere else, including directly in my theme files and in the native WordPress content WYSIWYG, so it seems it is a bug in WP … Read more
Ok, so there is one major problem with your code and it has nothing to do with escaping LIKE statements in SQL. But let me start from that… There is nothing wrong with your escaping. You should do it exactly like that: global $wpdb; // Create a SQL statement with placeholders for the string input. … Read more
tl;dr Should I serialize the data? No, it will be done for you as long as everything is serializable. Should I sanitize/escape the data? Partially. The data will be escaped automatically for you to prevent SQL injection attacks, but you should sanitize and validate it to assure data consistency. Explanation If there’s no object cache … Read more
WordPress has a baked in solution: esc_html__( string $text, string $domain = ‘default’ ) You can use that to replace __() and __x() but the second one looks for contextual translations where you specify the context for the string being translated. The codex for it is right here: https://developer.wordpress.org/reference/functions/esc_html__/
After thinking about this a little bit, I guess that the proper way to ensure that your comments are properly escaped, is by doing something like this: $the_comment = get_comment_text(); echo ‘<p>’ . esc_html($the_comment) . ‘</p>’; Instead of simply using the function like this: comment_text(); Why even have these handy functions in the first place, … Read more
Perhaps because the entity is a non-UTF8 character? Here’s what esc_html() does: function esc_html( $text ) { $safe_text = wp_check_invalid_utf8( $text ); $safe_text = _wp_specialchars( $safe_text, ENT_QUOTES ); return apply_filters( ‘esc_html’, $safe_text, $text ); } If not that, then it’s getting sanitized when filtered by _wp_specialchars(), which does double-encoding(by default,no) and all sorts of things. … Read more
The Codex description of these two functions: wp_specialchars: Converts a number of special characters into their HTML entities. Specifically deals with: &, <, >, “, and ‘. wp_specialchars_decode: Converts a number of HTML entities into their special characters. According to http://codex.wordpress.org/Function_Reference/wp_specialchars This function is deprecated as of WordPress 2.8.0. Please use esc_html instead. You don’t … Read more