I’m new to SQL and am wondering if I need to use wpdb->prepare for the following query to a table I’ve created
global $wpdb; $tablename = $wpdb->prefix . "my_custom_table"; $sql = "SELECT * FROM " . $tablename . " ORDER BY date_created DESC"; $resulst = $wpdb->get_results( $sql , ARRAY_A );
Do I need to use prepare here? How would I do that?
Cheers
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
It’s best practice to always use prepare but the main use of it is to prevent against SQL injection attacks, and since there is no input from the users/visitors or they can’t effect the query then that is not an issue in your current example.
But like I said before it’s best practice to use it and once you start using it you never stop, so in your example you can use it like so:
global $wpdb; $tablename = $wpdb->prefix . "my_custom_table"; $sql = $wpdb->prepare( "SELECT * FROM %s ORDER BY date_created DESC",$tablename ); $results = $wpdb->get_results( $sql , ARRAY_A );
to read more about how to use it head to the codex
Method 2
When you use prepare it is protecting the code from SQL injection vulnerabilities.
Here is the code you need to modify for using prepare();
global $wpdb;
$tablename = $wpdb->prefix . "my_custom_table";
$sql = $wpdb->prepare( "SELECT * FROM {$tablename} ORDER BY date_created DESC");
$resulst = $wpdb->get_results( $sql , ARRAY_A );
Method 3
In your case is not possible SQL injection attack. Your code don’t need additional protection because don’t use user input like: post, get, request, cookie.
Don’t use complicated function when are not necessary to save server resources.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0