update_usermeta does not escape meta data
|Reported by:||kccricket||Owned by:|
update_usermeta does not escape any of the data passed to it.
I ran into this issue while attempting to pass an array that contains a value that contains an apostrophe to update_usermeta. This raises a WPDB error. The array is serialized by the function, but the apostrophes are not properly escaped, malforming the SQL query.
If the data in the array is escaped before being passed to update_usermeta, the query completes successfully. However, when the array is retrieved with get_usermeta, it is not unserialized and is returned as a string instead of an array.
update_option works as expected and does not exhibit this behavior.