Is it necessary to escape LIKE term in WP_User_Query?

While searching for partial string searches using WP_User_Query I came across this answer by @kaiser who has provided some great answers here on Stackexchange. However, I was confused over the use of esc_attr to escape the LIKE term ('search' => '*' . esc_attr( $your_search_string ) . '*').

I believe WP_User_Query makes use of prepared statements where such escaping would be unnecessary and a futile exercise. Am I right?

Read More

Secondly, if at all, escaping has to be done, wouldn’t like_escape() suit the purpose better?

Related posts

1 comment

  1. like_escape() only escapes % and _ characters. The entire function looks like this:

    function like_escape($text) {
       return str_replace(array("%", "_"), array("\%", "\_"), $text);
    }
    

    Quoting from the Codex, esc_attr()

    Encodes the <, >, &, ” and ‘ (less than, greater than, ampersand, double quote and single quote) characters. Will never double encode entities.

    Always use when escaping HTML attributes (especially form values) such as alt, value, title, etc.

    (Emphasis mine.)

    Further reading: Data Validation

    Edited to add — I didn’t address the first part of the question: If WP_User_Query does its own data validation, then do we really need to use esc_attr() at all?

    The Codex page for WP_User_Query doesn’t seem to say one way or the other whether any data validation is done. (Searching the page for valid and escape turns up nothing, as well.) This, combined with a note from the esc_attr() page — “Will never double encode entities” — indicates to me that there’s no harm in using esc_attr() on the values you’re passing. Better safe than sorry, especially with untrusted user-provided data, right?

Comments are closed.