i got this SQL query where post_title taken from $_GET
$sql = “SELECT ID FROM posts WHERE posts.post_title = ‘5-design-web-colourful’”;
What is the best way to sanitize this and make it more safe ?
EDIT : (as requested) I’m trying to create a plugin that work to hide a particular category (named private) and all of its post for every non-logged guest. i have hook into ‘pre_get_posts’ and ‘posts_selection’ able to control how to show particular posts and category for admin, the member who wrote them, other member, and guest.
The category must be non exist. so it can not be shown on cat archive page in front end.
I know it’s not relatedto the question cause what iask just how to sanitize name / title of a post. nothing more.
Use
mysql_real_escape_string
, assuming you use MySQL.While this doesn’t directly answer your question, the better approach is to use bind parameters. This protects you from all attack vectors of this category.
http://php.net/manual/en/pdo.prepared-statements.php
http://www.php.net/manual/en/pdostatement.bindparam.php
For your example:
CAUTION: This assumes that $wpdb is safe!