One of my text fields is saving a value with apostrophe such as “Jim’s Store” in the database. When I tried to retrieve it using WP_Query()
, it’s not returning any value.
I noticed that if I used stripslashes()
in my search query args, it returned me the correct value: 'value' => stripslashes($_POST['store'])
My concern is that stripping slashes could potentially introduce security vulnerabilities including the risk of SQL injection?
Is there a better way to address this?
Slashes are added to input to escape values because that is how your server is configured. If you access the raw values of $_POST then you must strip them before using them to query the db.
You are not inserting anything into the DB, you are looking for something that is already there. In addition to this WP sanitizes the values before when using WP_Query. This would only be a concern if you were directly querying the DB instead of using WP_Query. This is what the prepare() method of wpdb is for.