I’m wishing to add some functionality to a client WordPress site that allows you to include taxonomy terms from custom post types in the WordPress search, and come across the following answer:
Include custom taxonomy term in search
This solution does work, but in the comments a user has mentioned that it’s “probably not a good idea to inject the raw publicly available search string directly into an SQL query.” and added a link for further reading. I can’t see anything in this link that relates to the specifices of the answer though.
For quick reference the code for the answer is below, would this code be a security risk? And if so what would the solution be so you can still have the functionality of being able to include taxonomy terms in the WP search without the security risk?
Many thanks
// search all taxonomies, based on: http://projects.jesseheap.com/all-projects/wordpress-plugin-tag-search-in-wordpress-23 function atom_search_where($ where){ global $ wpdb; if (is_search()) $ where .= "OR (t.name LIKE '%".get_search_query()."%' AND {$ wpdb->posts}.post_status = 'publish')"; return $ where; } function atom_search_join($ join){ global $ wpdb; if (is_search()) $ join .= "LEFT JOIN {$ wpdb->term_relationships} tr ON {$ wpdb->posts}.ID = tr.object_id INNER JOIN {$ wpdb->term_taxonomy} tt ON tt.term_taxonomy_id=tr.term_taxonomy_id INNER JOIN {$ wpdb->terms} t ON t.term_id = tt.term_id"; return $ join; } function atom_search_groupby($ groupby){ global $ wpdb; // we need to group on post ID $ groupby_id = "{$ wpdb->posts}.ID"; if(!is_search() || strpos($ groupby, $ groupby_id) !== false) return $ groupby; // groupby was empty, use ours if(!strlen(trim($ groupby))) return $ groupby_id; // wasn't empty, append ours return $ groupby.", ".$ groupby_id; } add_filter('posts_where','atom_search_where'); add_filter('posts_join', 'atom_search_join'); add_filter('posts_groupby', 'atom_search_groupby');