I’m new to WordPress and was wondering why in WordPress API do they tell you to use functions such as prepare()
, insert()
, get_col()
, get_row()
, query()
, etc. when technically I can use the built-in PHP-SQL functions such as mysqli_query()
, mysqli_fetch_assoc()
, etc.
What exactly are the advantages of using the $wpdb
SQL functions to execute queries?
There are a few different reasons.
1. Separation of Concerns
Fundamentally, your logical code (i.e. your plugin or your theme) should not need to know anything about the database. At all. Really.
The
$wpdb
object is the global database access layer, and you should be using it for all of your database access. If you need to run a custom query (let’s say you have a custom table somewhere) then you should use$wpdb->prepare()
and$wpdb->query()
to prepare your queries and fetch data from the database.2. Security
It’s very easy to forget to sanitize a query and open your site to some kind of SQL injection attack. Using WordPress’ built-in sanitation methods is one way of protecting against this. It’s not perfect (you could still write a really bad query) but it definitely helps.
3. Performance
The queries built in to the WordPress API have been poured over by several developers and tweaked to run with the smallest memory footprint and return as quickly as possible. In addition, some of these API calls are self-caching, so you can “query” for data that hasn’t changed and is already in memory. This is a huge performance benefit over making a direct SQL call.
And with every new version of WordPress, we make changes to make things faster and more nimble.
4. Flexibility and Stability
The database is not a fixed construct. The table schema can and will change. Hard-coding queries to WordPress objects in your own code is an inflexible maintenance nightmare. When a new version of WP drops, you’ll have to rewrite your queries again … opening yourself up to potential vulnerabilities (#2) again or negatively impacting your site’s performance (#3).
The Bottom Line
All of PHP is still available to you. You can make direct connections to whatever database you need and run whatever queries you want. But WordPress has already (in the majority of cases) done the heavy lifting and abstracted these calls for you.
The benefit of using
$wpdb
is that it’s already there, is maintained by several developers, and is well-documented. You don’t have to reinvent the wheel. And you know, if WordPress changes, it will change along with it for you.Yes you can use PHP’s SQL functions in WordPress. WordPress is written in PHP, so all PHP functions are available in plugins.
To answer your second question, the main advantages of
wpdb
are convenience and safety. Thewpdb
library is a database abstraction layer that provides a ton of useful functions. For example, when using the wpdb->insert() and wpdb->update() functions, you don’t write any SQL and you don’t have to worry about escaping the contents of variables (the wpdb documentation for wpdb->update() says that they should be unescaped).Update: It should be noted that wpdb does not escape SQL queries in functions like
select()
. Read the DB section of the Data Validation article for more information.To elaborate on fdsa’s response, wpdb has built-in caching as well for query optimization.
wpdb
also provides convenience variables for the names of database tables. This is extremely useful when coding for a network/multisite environment.For reference: Class Reference/wpdb on the official docs.