how to use $wpdb->prepare to update a custom table

As a noob I dont understand a lot of SQL injections but I need to be save so I have read that I have to use wpdb->prepare to make sure the data is stored correct.

At this moment I use the $wpdb->update() query so I need some help to transform this into an save query with $wpdb->prepare().

$wpdb->update('custom_table',
    array(
    'option_1' => 'hello', 
    'option_2' => 2,
    'option_3' => 'world'
    ),
    array('option_name' => 'some name'),
    array('%s','d%','%s')
);

Related posts

2 comments

  1. When you look at the Codex article on $wpdb, then you will see that your current usage is correct. The last argument

    array( '%s', '%d', '%s' )
    

    already indicates that there is something like sprintf/printf going on in the background.

    The $wpdb->prepare() method isn’t needed for every other method. The ones that need it:

    $wpdb->query()
    $wpdb->get_var()
    $wpdb->get_col()
    $wpdb->get_row()
    $wpdb->get_results()
    

    and plain SQL queries like:

    $sqlQuery = $wpdb->prepare( "SELECT etc.", /* list of replacements */ );
    

    where the last probably will always get wrapped inside $wpdb->query() anyway.

  2. If always escaping input like: post, get, request, cookie SQL injection are not possible.
    $input_var=mysql_real_escape_string($input_var);

    or more good this function:

    function doEscape($str) {
      return get_magic_quotes_gpc() ? mysql_real_escape_string(stripslashes($str)):mysql_real_escape_string($str);
    }

Comments are closed.