$wpdb is get_results escaped

The answer is: of course they are not – otherwise you couldn’t use them to save them in DB.

But… the answer to your question isn’t so easy.

Sanitizing is a process of preparing data for storing in DB. So for example if you insert some illegal characters in post_name, then it will be removed, so the post_name is sanitized, before saving. If you use color picker in Customizer, then you should sanitize it (checking if it really is a color and not some random string) before saving. And so on.

But sanitized data can still be dangerous. You can use “>” character in title, so title containing it will be sanitized. But of course you can’t print it in HTML of your code.

That’s where escaping joins the game. Escaping is a process of making data from DB secure for HTML code (based on context). Remember that the same title should be escaped in a different way when it’s printed inside tag (then you should use esc_html), than when it’s used as html attribute (you should use esc_attr) and so on.

So yes – you should always sanitize your data before storing it in DB and always use correct way of escaping based on given context.

Related Posts:

  1. How to protect a script execution on WordPress?
  2. SQL queries to another wordpress site
  3. get_posts() SQL Injection
  4. Escaping a WPDB Object in One Shot
  5. what is the way to see the currently executing query in wordpress?
  6. WordPress 4.8.1 uses mysql_connect which doesn’t work with PHP 7
  7. How to use $wpdb to delete in a custom table
  8. Matching database content types to PHP types
  9. Does $wpdb->prepare not create a prepared statement that I can execute multiple times?
  10. Is it true $wpdb->get_results is faster than WP_Query in most cases?
  11. Saving custom form data into database
  12. Get data from database table by post_id to get data from second database table
  13. wp-content/db.php : where is this file?
  14. Delete/replace img tags in post content for auto published posts [closed]
  15. $wpdb sql help. Select post id and post meta value based on 2 other post_meta values
  16. $wpdb->get_results() returns good result only in first foreach iteration
  17. $wpdb->insert – inserting multiple rows
  18. $wpdb prepared with search term
  19. WPDB->insert with special characters
  20. wpdb-> not adding prefix to custom table
  21. WordPress insert NOW() in TIMESTAMP column returns all zeros
  22. $wpdb prepare issue with mysql DATE_FORMAT
  23. Is $wpdb->prepare escaping to much? How to use it properly?
  24. How to pass NULL in where array for $wpdb->update
  25. I am not understandinhg $wpdb->prepare correctly
  26. I want to update my postcontent with $wpdb
  27. How to save html and text in the database?
  28. XOR functionality for meta_query
  29. $wpdb->replace / Replace or update primary key
  30. Create an array with a string key from wpdb->get_results
  31. Replicating the WP_Query ‘s’ param with $wpdb
  32. get the number of queries made on a page(inside my plugin)
  33. Doing a loop with multiple DBs simultaneoulsy
  34. Using WPDB class
  35. How can I migrate mysql_fetch_array to $wbpdb?
  36. WordPress SQL query – returning ‘true’ ‘false’ or ‘null’
  37. Modify the structure of data returned by $wpdb
  38. wpdb get_results() and prepare when to use prepare?
  39. WPDB If primary key already exists, add +1 to integer field
  40. How to get an array of user roles with or without a specific capability?
  41. Programmatically Creating Page using $wpdb and getting 404 error
  42. Return XML of Post Metadata
  43. What’s the proper way to add users to my site in order to test things?
  44. Problem in inserting row to custom database table
  45. sanitize_text_field and apostrophe problem
  46. $wpdb->prepare with ON DUPLICATE KEY UPDATE
  47. 301 Redirect Code
  48. wpdb updating record in wordpress with json adds extra array elements
  49. How to display a specific category using a custom Query?
  50. $wpdb->insert inserting only f character in custom table
  51. AWS Bitnami WordPress – SELECT command denied to user
  52. WPDB Placeholders and second argument for prepared statements
  53. PHP Fatal Error – $wpdb a non-object?
  54. Why does wpdb->update delete other meta?
  55. Increment integer field in database when WHERE needs to be dynamic [closed]
  56. Getting variable from Database
  57. Custom SQL query ORDER BY term_order
  58. Custom $wpdb returns unexpected time based results
  59. $wpdb->prepare was called incorrectly when inserting multiple records
  60. how to connect to another database in wordpress
  61. $wpdb->insert() doesnt work anymore
  62. WordPress wpdb->insert returns int(0) => doesn’t insert anything, no errors!
  63. Save sql file after doing insert wpdb
  64. Perform a function when a user clicks register button
  65. $wpdb->get_results not returning an array
  66. Can I use wpdb to insert query results into a post?
  67. $wpdb->prepare error after WordPress update [duplicate]
  68. wpdb result arrray inside an array
  69. $wpdb->get_var next var?
  70. How do I modify this wpdb query to include posts that have a post_status of publish and draft?
  71. Can’t find out why dbDelta dosen’t create my table
  72. How to pass an input value into wpdb->Prepare
  73. How capturate wpdb exceptions?
  74. How to store sensitive user data (passwords)
  75. Limit left join
  76. Check if Value Exists in Database, adding row details to variables and echoing result
  77. wpdb replace returning 1 where delete and insert is expected
  78. wpdb discards duplicate column names?
  79. update_post_meta not working in template_redirect action
  80. WPDB SQL query SELECT from category
  81. How to work with constraints on wordpress user metadata?
  82. How to Update multiple rows using $wpdb->update
  83. Unable to use $wpdb in WordPress
  84. How to display specific data from custom database table in WordPress
  85. Get 3 row ID’s via ARRAY_A
  86. Getting record from three wpdb tables
  87. Why is an empty result an error? ( $wpdb->get_row )
  88. get_row returns empty when data exists
  89. wpdb insert working in one function, but not another
  90. How to set up prepared query using IN statement
  91. WPDB Prepared Delete
  92. wpdb select from using array as search parameters
  93. wpdb Cannot Access Associative Array Data in a Count Query
  94. Can’t get expected result from a wpdb query
  95. Can’t seem to get set_blog_id working, it just doesn’t reset the blog ID
  96. DBDelta: “table doesn’t exist” for a table that was just created
  97. selecting row using wpdb which contain special symbols
  98. Query Problem in Clustom Plugin
  99. How does $wpdb->get_var work with offset?
  100. WP Recommended Table Exclusions?

Leave a Comment