I’m new to SQL and am wondering if I need to use wpdb->prepare
for the following query to a table I’ve created
global $wpdb;
$tablename = $wpdb->prefix . "my_custom_table";
$sql = "SELECT * FROM " . $tablename . " ORDER BY date_created DESC";
$resulst = $wpdb->get_results( $sql , ARRAY_A );
Do I need to use prepare
here? How would I do that?
Cheers
It’s best practice to always use
prepare
but the main use of it is to prevent against SQL injection attacks, and since there is no input from the users/visitors or they can’t effect the query then that is not an issue in your current example.But like I said before it’s best practice to use it and once you start using it you never stop, so in your example you can use it like so:
to read more about how to use it head to the codex
When you use prepare it is protecting the code from SQL injection vulnerabilities.
Here is the code you need to modify for using
prepare()
;In your case is not possible SQL injection attack. Your code don’t need additional protection because don’t use user input like: post, get, request, cookie.
Don’t use complicated function when are not necessary to save server resources.