mysql_real_escape_string() vs. esc_sql() in WordPress
mysql_real_escape_string() vs. esc_sql() in WordPress
escaping
How to escape attachment image caption text?
How to escape attachment image caption text?
What is the safe way to print tracking code / pixel code before tag or tag
It sounds like you’re trying to implement a general purpose field for users to enter any kind of tracking code/JS into. This approach gives users the most flexibility but it means that you are trusting them to put whatever JavaScript that they want into the header and footer. By default, users need the administrator or … Read more
Updating post data on save (save_post vs wp_insert_post_data)
At first, Data was sanitized here (line 2997). If you don’t want any plugin/theme run on action save_post. User function remove_all_actions to remove all functions hooked to action save_post. function post_save_action($post_id, $post, $update) { if ($this->is_temp_saving_post($post, $post_id)) { return; } // Check user permissions if (!current_user_can(‘edit_post’, $post_id)) return; // Update post if (!$this->is_proper_post_type($post)) { return; … Read more
WordPress stripping away backslashes from HTML
esc_js() is used to escape single quotes, htmlspecialchar ” < > &, and fix line endings; it takes only a single required parameter as a string: the text to be escaped, and returns an escaped text. It is intended to be used for inline JavaScript such as the onclick=”” attribute (note that the strings have … Read more
Securing/Escaping Output of file content – reading via fread() in PHP
Securing/Escaping Output of file content – reading via fread() in PHP
How to get my post title to work with an apostrophe (‘s)?
EDIT: Disable magic_quotes_gpc in your server. try adding in .HTACCESS file (if you on shared hosting): php_flag magic_quotes_gpc off If you’ll get 500 server error after you added it – delete it and put this: ini_set (‘magic_quotes_gpc’, 0); in theme’s functions.php file. And with function bellow check is it on. You can create php file … Read more
Something is unescaping all html entities before output to browser [closed]
This was a case of UTF-8 character encoding taking over the presentational view of your browser and converting those HTML entities into their counter parts, human readable text. After all, you might have very well wanted a string that looked like; “BLA for some reason or another to the eyes of your viewer instead of … Read more
Post Content, Special Characters and Filters
Using a snippet of code like this: $hook_name=”the_content”; global $wp_filter; var_dump($wp_filter[$hook_name]); I was able to find a list of all hooked callback functions to the WordPress filter: the_content. I then located a few possible culprits, then searched for their function existence. After narrowing down my list, I came to the conclusion on the hooked callback … Read more
Is it necessary to escape LIKE term in WP_User_Query?
like_escape() only escapes % and _ characters. The entire function looks like this: function like_escape($text) { return str_replace(array(“%”, “_”), array(“\\%”, “\\_”), $text); } Quoting from the Codex, esc_attr() Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities. Always use when … Read more