So here is the situation. We allow users to enter input data, i.e. user_first_name and user_additional_comments.
Then we use sanitize_text_field() , which is named as save.
But after this filter:
Thomas' OR SELECT * FROM wp_user
Is still save into DATABASE as full text. And ' char is not escaped as ' or \'.
I use $wpdb->query("INSERT INTO A (a,b,c) VALUES ('{$a}', '{$b}', '{$c}')"); So $a has to be a valid value here, which can be inserted into db. I have reasons not to use insert(), prepare() etc. specific functions, so I need to be sure that $a is VALID and SECURE. How to ensure that for text data like last name, or comment.
So is this brokes the security?
1
You can use wpdb insert function. It’s better in every way.
It can care about data’s escapeing itself and it’s shorter.
You can use your own query anyway but I would recommended this article for reading https://codex.wordpress.org/Data_Validation#Database