I'm focusing on creating a custom wordpress theme - and there's a piece where I'm tugging data using a query that is protected by wpdb->prepare.

After I consider the resulting text that's drawn within an escape slash is stuck on the website. EG surf's up becomes surf's up.

Anyhow - my primary real question is - basically apply stripslashes to a few the query fields after they've been drawn, shall we be held compromising the safety applied by wpdb->prepare ?


'altText' => stripslashes($myrow_home->alttext),

Thank you for searching, mro.

Obvisoulsy, wpdb->prepare() prepares the string for DB use, therefore it escapes the quotes to prevent injections of all kinds.

I do not really understand why you'd intercept a prepared value for other uses than DB, but it is safe to stripslash it, provided obviously you do not make use of the stripslashed value after inside a DB query!

Rapid answer is that you could use stripslashes without compromising the safety of wpdb->prepare.

From Wordpress Function Reference:

As with every functions within this class that execute SQL queries, you have to SQL escape all inputs (e.g., wpdb->escape($user_joined_data_string) ).

Have a look at http://codex.wordpress.org/wpdb_Class#Protect_Queries_Against_SQL_Injection_Attacks for more information.

Also make sure to read: http://codex.wordpress.org/Data_Validation

It is crucial that you simply know how Wordpress Data Validation works Before you decide to produce a theme.