I'm focusing on creating a custom wordpress theme - and there's a piece where I'm tugging data using a query that is protected by wpdb->prepare.
After I consider the resulting text that's drawn within an escape slash is stuck on the website. EG surf's up becomes surf's up.
Anyhow - my primary real question is - basically apply stripslashes to a few the query fields after they've been drawn, shall we be held compromising the safety applied by wpdb->prepare ?
'altText' => stripslashes($myrow_home->alttext),
Thank you for searching, mro.
Obvisoulsy, wpdb->prepare() prepares the string for DB use, therefore it escapes the quotes to prevent injections of all kinds.
I do not really understand why you'd intercept a prepared value for other uses than DB, but it is safe to stripslash it, provided obviously you do not make use of the stripslashed value after inside a DB query!
Rapid answer is that you could use stripslashes without compromising the safety of wpdb->prepare.
From Wordpress Function Reference:
As with every functions within this class that execute SQL queries, you have to SQL escape all inputs (e.g., wpdb->escape($user_joined_data_string) ).
Have a look at http://codex.wordpress.org/wpdb_Class#Protect_Queries_Against_SQL_Injection_Attacks for more information.
Also make sure to read: http://codex.wordpress.org/Data_Validation
It is crucial that you simply know how Wordpress Data Validation works Before you decide to produce a theme.