attribute_escape() versus $wpdb->escape()
I was reading a security article that mentioned using attribute_escape() on any form input that was going to be displayed back to the user so as to remove the possibility of exploit code being run. I was wondering though if you use $wpdb->escape() on form data that will be put in the database, do you also need to use attribute_escape() on the same data if it will also be shown to the user after the database write is done, or are both of these functions doing the same thing essentially but for different reasons? (one on data not related specifically to the database, the other for data definitely going to the database).
I don’t want to unnecessarily run data through extra functions if it isn’t required or is already successfully processed to remove problems.
- The topic ‘attribute_escape() versus $wpdb->escape()’ is closed to new replies.