WordPress: wpdb->insert VERSUS wpdb->prepare(wpdb->query(“INSERT

I am wondering if wordpress’ insert function also adds slashes to data. If it doesn’t it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented.
Thanks!

Related posts

Leave a Reply

2 comments

  1. This question is a little old and the codex may have been updated since it was asked. Both wpdb->insert() and wpdb->prepare() provide the same level of safety regarding SQL escaping of input data.

    The codex states that the both the column and data values provided to the insert method should be raw, not SQL escaped.

    I also took a quick look at the source to confirm. The implementation for the insert method uses wpdb->prepare().

  2. WordPress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function escape so I assume that WordPress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.

    This is how you escape a string in WordPress:
    $safe_string = $wpdb->escape($unsafe_string);