I’m trying to ensure that I avoid any SQL injections so I’m curious how WordPress handles these types of situations.
I would like to use the WordPress wrapper to insert new values into the database. Say I have the following snippet:
<?PHP
$var = $_POST['var'];
$qry = $wpdb->insert(
'my_table',
array(
'var' => $var,
'column2' => 123
)
);
if ($qry) {
$new_record = $wpdb->insert_id;
echo 'Record was inserted successfully with an id of ' . $new_record_id;
} else {
echo "There was an error with the SQL query";
}
?>
I looked into the WordPress Codex and it says not to escape these values but I want to ensure that I’m not leaving myself open to SQL injections. Am I protected or is there anything else I need to do? Do I have to worry about Select statements as well?
Here is the Codex for reference: http://codex.wordpress.org/Class_Reference/wpdb
Thanks in advance!
You are safe, the WPDB will sanitize the data for you.