So I have this code:
$infos['title'] = addslashes("Le Roi D'Australie");
$offer = get_page_by_title($infos['title'], ARRAY_A, 'post');
This doesn't work whereas all the other post I have with no quote are actually working well.
Do you have an answer ? get_page_by_title should escape the title for me.. I must have miss something.
Thank you in advance.
wpdb->prepare (used by get_page_by_title) already correctly prevents SQL injection when the parameterized form is used.
All data in SQL queries must be SQL-escaped before the SQL query is executed to prevent against SQL injection attacks. The
preparemethod performs this [SQL-escaping] functionality for WordPress.
Simply remove the addslashes call as it adds in a useless/extra slash that makes the query fail. It is valid SQL in either case (thanks to prepare), but it uses a now-over-slashed-value.
Then read through this question/answer to see why addslashes is never correct for SQL. (Best solution is to only use wpdb->prepare, or similar placeholder models, and methods that use it.)
