I’ve tried to import an option value via update_options($name, $value) where $value has special characters (like apostrophe’s for example) and I’ve noticed that the apostrophe gets stripped out of the text before it reaches the database.
What is the suggested sanitization of strings prior to sending them to update_options()?
Try
esc_html( $string )(Codex ref), which among other things encodes single- and double-quotes.For further reference, see the Data Validation entry in the Codex.
You should not use esc functions for data that’s going into the database. esc functions are for output only.
The update_option() function sanitizes for you, so there’s no need to run any extra san functions.
I can’t comment on Chris Flannagans answers so… update_options() does not sanitize all options. Some core options are sanitized, but custom option are not. You must sanitize the input yourself.
https://www.wordfence.com/blog/2018/11/xss-injection-campaign-exploits-wordpress-amp-plugin/