It’s okay to use it more than once, but not encouraged. However, in your first example, you’re saving the URL to the database. When you do that, or when using the URL in the wp_remote_* context, or a redirect, or any other non-display context, you should be using esc_url_raw() instead. Also note that get_post_meta will … Read more
You cannot use constants or anything other than actual strings with translation functions. This is because the code that reads your code, and produces the translatable strings does not actually run your code, it is reading your code. Here is a more detailed post on the topic: http://ottopress.com/2012/internationalization-youre-probably-doing-it-wrong/ But the short version is this: This … Read more
esc_js() breaks unicode sequences by removing the slash ‘\’ character
mysql_real_escape_string() vs. esc_sql() in WordPress
How to escape attachment image caption text?
It sounds like you’re trying to implement a general purpose field for users to enter any kind of tracking code/JS into. This approach gives users the most flexibility but it means that you are trusting them to put whatever JavaScript that they want into the header and footer. By default, users need the administrator or … Read more
At first, Data was sanitized here (line 2997). If you don’t want any plugin/theme run on action save_post. User function remove_all_actions to remove all functions hooked to action save_post. function post_save_action($post_id, $post, $update) { if ($this->is_temp_saving_post($post, $post_id)) { return; } // Check user permissions if (!current_user_can(‘edit_post’, $post_id)) return; // Update post if (!$this->is_proper_post_type($post)) { return; … Read more
esc_js() is used to escape single quotes, htmlspecialchar ” < > &, and fix line endings; it takes only a single required parameter as a string: the text to be escaped, and returns an escaped text. It is intended to be used for inline JavaScript such as the onclick=”” attribute (note that the strings have … Read more
Securing/Escaping Output of file content – reading via fread() in PHP
EDIT: Disable magic_quotes_gpc in your server. try adding in .HTACCESS file (if you on shared hosting): php_flag magic_quotes_gpc off If you’ll get 500 server error after you added it – delete it and put this: ini_set (‘magic_quotes_gpc’, 0); in theme’s functions.php file. And with function bellow check is it on. You can create php file … Read more