I have a query that runs fine in raw PHP but I cannot run using $wpdb. I seem to be missing something in the advice provided at How do you properly prepare a %LIKE% SQL statement? My code is global $wpdb; // Create a SQL statement with placeholders for the string input. $sql3 = “SELECT … Read more
Everything is in the question. For a notices system to show warnings/errors in the admin, I´m using transient. When I published my first plugin, I received an email to ask me to sanitize/validate/escape data which inserts in database so… I´m doing a function to wrap set_transient() to do this but I´m not sure if in … Read more
I want the following output:- About to deduct 50% of € 27.59 from your Top-Up account. when I do something like this:- $variablesArray[0] = ‘€’; $variablesArray[1] = 27.59; $stringWithVariables=”About to deduct 50% of %s %s from your Top-Up account.”; echo vsprintf($stringWithVariables, $variablesArray); But it gives me this error vsprintf() [function.vsprintf]: Too few arguments in … … Read more
I’m having trouble understanding how to escape a translated string with WordPress… The following piece of code is from the WordPress codex : function wpdocs_kantbtrue_init() { $args = array( ‘labels’ => array( ‘name’ => _x( ‘Recipes’, ‘Post type general name’, ‘recipe’ ), ‘singular_name’ => _x( ‘Recipe’, ‘Post type singular name’, ‘recipe’ ), ‘menu_name’ => _x( … Read more
I’m creating a template for comments on my WordPress site. I noticed that a simple <script>alert(1);</script> slips through the default WP codex implementation of comments, using the comment_text() function to display my comments. No bueno. How can i properly sanitize and/or escape WordPress comments? The esc_html() function, seems to do nothing in this case. 1 … Read more
In PHP 5.2, filter_var() sanitizes text. In WP, esc_html() sanitizes text. The former works with a high-bit character in the text string, e.g. à , but the latter doesn’t. esc_html seems to be totally eating a string containing a high-bit character. Here’s the example, written as a simple WP plugin: <?php /* Plugin Name: bugz … Read more
How can I escape a ‘ (single quote) in HTML? This is where I’m trying to use it: <input type=”text” id=’abc’ value=”hel”lo’> The result for the above code is “hel” populated in the text box. I tried to replace ‘ with \’, but this what I’m getting. <input type=”text” id=’abc’ value=”hel\”lo’> The result for the … Read more
I am trying to use a string that contains double quotes in the title attribute of an anchor. So far I tried these: <a href=”https://stackoverflow.com/questions/3752769/..” title=”Some \”text\””>Some text</a> <!– The title looks like `Some \` –!> and <a href=”https://stackoverflow.com/questions/3752769/..” title=”Some "text"”>Some text</a> <!– The title looks like `Some ` –!> Please note that using single … Read more
This question already has answers here: How can I prevent SQL injection in PHP? (28 answers) Closed 6 years ago. I have a perplexing issue that I can’t seem to comprehend… I have two SQL statements: The first enters information from a form into the database. The second takes data from the database entered above, … Read more
In my plugin, I’m rendering a shortcode with some inline JavaScript. WordPress seems to hate the closing CDATA tag (]]>), as it escapes it. I’m using CDATA blocks so as to render well-formed XHTML, which allows other processes to scrape the page content easily (legacy systems which suck and are beyond the scope of this … Read more
