how to use $wpdb->prepare to update a custom table

As a noob I dont understand a lot of SQL injections but I need to be save so I have read that I have to use wpdb->prepare to make sure the data is stored correct.

At this moment I use the $wpdb->update() query so I need some help to transform this into an save query with $wpdb->prepare().

    'option_1' => 'hello', 
    'option_2' => 2,
    'option_3' => 'world'
    array('option_name' => 'some name'),

Related posts


  1. When you look at the Codex article on $wpdb, then you will see that your current usage is correct. The last argument

    array( '%s', '%d', '%s' )

    already indicates that there is something like sprintf/printf going on in the background.

    The $wpdb->prepare() method isn’t needed for every other method. The ones that need it:


    and plain SQL queries like:

    $sqlQuery = $wpdb->prepare( "SELECT etc.", /* list of replacements */ );

    where the last probably will always get wrapped inside $wpdb->query() anyway.

  2. If always escaping input like: post, get, request, cookie SQL injection are not possible.

    or more good this function:

    function doEscape($str) {
      return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($str)):mysql_real_escape_string($str);

Comments are closed.