[wp-hackers] $wpdb->prepare and dynamic field names
steve at sltaylor.co.uk
Wed Mar 2 21:45:10 UTC 2011
Following from Mark Jaquith's handy presentation
I'm scouring my themes and plugins to check the security measures.
One issue so far. I have a query like this:
$field = $wpdb->get_results("
WHERE meta_key = '$key'
AND $id_field = $id
LIMIT 0, 1
It's just checking whether a custom field is set for a specific object
(a post or user - hence the dynamic table and ID field references,
which are decided before this query).
If I use $wpdb->prepare, what would I do with $table and $id_field.
Wouldn't using %s automatically stick quotes around them and
invalidate the query?
More information about the wp-hackers