How to securely provide a $_POST var in WP_Query with PHP 7?

Add question

Username* Please type your username .

E-Mail* Please type your E-Mail .

Question Title* Please choose an appropriate title for the question to answer it even easier .

Category Please choose the appropriate category so others can easily search your question.

Tags Please choose suitable Keywords Ex : question , poll .

Poll This question is a poll ? If you want to be doing a poll click here .

Featured image

Browse

Details*

Ask Anonymously Anonymous asks

Video description Do you need a video to description the problem better ?

Video type Choose from here the video type .

Video ID Put here the video id : https://www.youtube.com/watch?v=sdUUx5FdySs EX : 'sdUUx5FdySs'.

Notified Notified by e-mail at incoming answers.

Terms* By asking your question, you agree to the Terms of Service and Privacy Policy.

Captcha*

Question

In PHP 5.5 you had the function

mysql_real_escape_string()

and I always did

htmlspecialchars(mysql_real_escape_string($_POST['...]));

to secure against SQL-Injection.

With PHP 7 mysql_real_escape_string() is gone. An alternative is

mysqli_real_escape_string()

but that function needs a link to the mysqli object. When using WordPress to perform a query like this:

$query_args = array( 's' => $_POST['search'] ); $query = new WP_Query( $query_args );

I can’t provide a mysqli object. So Do I have to leave all the security stuff to WordPress? Is it enough to do:

$query_args = array( 's' => htmlspecialchars( $_POST['search'] ) ); $query = new WP_Query( $query_args );

mysql, php, wp-query SVARTBERG 7 years 2016-09-21T03:12:24-05:00 2016-09-21T03:12:24-05:00 0 Answers 87 views 0

Register Now