Should I use wpdb prepare?

I’m new to SQL and am wondering if I need to use wpdb->prepare for the following query to a table I’ve created

global $wpdb;
$tablename = $wpdb->prefix . "my_custom_table";
$sql = "SELECT * FROM " . $tablename . " ORDER BY date_created DESC";
$resulst = $wpdb->get_results( $sql , ARRAY_A );

Do I need to use prepare here? How would I do that?

Read More

Cheers

Related posts

Leave a Reply

3 comments

  1. It’s best practice to always use prepare but the main use of it is to prevent against SQL injection attacks, and since there is no input from the users/visitors or they can’t effect the query then that is not an issue in your current example.

    But like I said before it’s best practice to use it and once you start using it you never stop, so in your example you can use it like so:

    global $wpdb;
    $tablename = $wpdb->prefix . "my_custom_table";
    $sql = $wpdb->prepare( "SELECT * FROM %s ORDER BY date_created DESC",$tablename );
    $results = $wpdb->get_results( $sql , ARRAY_A );
    

    to read more about how to use it head to the codex

  2. When you use prepare it is protecting the code from SQL injection vulnerabilities.

    Here is the code you need to modify for using prepare();

    global $wpdb;
    $tablename = $wpdb->prefix . "my_custom_table";
    $sql = $wpdb->prepare( "SELECT * FROM {$tablename} ORDER BY date_created DESC");
    $resulst = $wpdb->get_results( $sql , ARRAY_A );