how to use $wpdb->prepare to update a custom table

June 23, 20231 Views

As a noob I dont understand a lot of SQL injections but I need to be save so I have read that I have to use wpdb->prepare to make sure the data is stored correct.

At this moment I use the $wpdb->update() query so I need some help to transform this into an save query with $wpdb->prepare().

$wpdb->update('custom_table',
    array(
    'option_1' => 'hello', 
    'option_2' => 2,
    'option_3' => 'world'
    ),
    array('option_name' => 'some name'),
    array('%s','d%','%s')
);

Post Views: 1

2 comments

Anonymous says:

June 23, 2023 at 9:43 pm
When you look at the Codex article on $wpdb, then you will see that your current usage is correct. The last argument
```
array( '%s', '%d', '%s' )
```
already indicates that there is something like sprintf/printf going on in the background.

The $wpdb->prepare() method isn’t needed for every other method. The ones that need it:
```
$wpdb->query()
$wpdb->get_var()
$wpdb->get_col()
$wpdb->get_row()
$wpdb->get_results()
```
and plain SQL queries like:
```
$sqlQuery = $wpdb->prepare( "SELECT etc.", /* list of replacements */ );
```
where the last probably will always get wrapped inside $wpdb->query() anyway.
Anonymous says:

June 23, 2023 at 9:43 pm
If always escaping input like: post, get, request, cookie SQL injection are not possible.
$input_var=mysql_real_escape_string($input_var);

or more good this function:
```
function doEscape($str) {
  return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($str)):mysql_real_escape_string($str);
}
```

Comments are closed.

Related posts

2 comments

Social Network