While searching for partial string searches using WP_User_Query
I came across this answer by @kaiser who has provided some great answers here on Stackexchange. However, I was confused over the use of esc_attr
to escape the LIKE term ('search' => '*' . esc_attr( $your_search_string ) . '*'
).
I believe WP_User_Query
makes use of prepared statements where such escaping would be unnecessary and a futile exercise. Am I right?
Secondly, if at all, escaping has to be done, wouldn’t like_escape()
suit the purpose better?
like_escape()
only escapes%
and_
characters. The entire function looks like this:Quoting from the Codex,
esc_attr()
(Emphasis mine.)
Further reading: Data Validation
Edited to add — I didn’t address the first part of the question: If
WP_User_Query
does its own data validation, then do we really need to useesc_attr()
at all?The Codex page for
WP_User_Query
doesn’t seem to say one way or the other whether any data validation is done. (Searching the page forvalid
andescape
turns up nothing, as well.) This, combined with a note from theesc_attr()
page — “Will never double encode entities” — indicates to me that there’s no harm in usingesc_attr()
on the values you’re passing. Better safe than sorry, especially with untrusted user-provided data, right?