If you’re adding untrusted input to a ProcessWire selector then you’ve likely used $sanitizer->selectorValue().
The problem with this is that is strips out some characters that you may wish to use in a search.
Try this instead:
function escapeSelectorValue($string) {
return '"' . str_replace('"', '\"', $string) . '"';
}
This function wraps it in double quotes and then adds slashes to any qouble quotes within the string itself. This allows for the full string to be safely used in a selector.
Tim Bennett is a Leeds-based web designer from Yorkshire. He has a First Class Honours degree in Computing from
Leeds Metropolitan University and currently runs his own one-man web design company, Texelate.