I am wondering if wordpress’ insert function also adds slashes to data. If it doesn’t it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented.
Thanks!
Leave a Reply
You must be logged in to post a comment.
This question is a little old and the codex may have been updated since it was asked. Both
wpdb->insert()
andwpdb->prepare()
provide the same level of safety regarding SQL escaping of input data.The codex states that the both the column and data values provided to the insert method should be raw, not SQL escaped.
I also took a quick look at the source to confirm. The implementation for the insert method uses
wpdb->prepare()
.WordPress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function
escape
so I assume that WordPress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.This is how you escape a string in WordPress:
$safe_string = $wpdb->escape($unsafe_string);