[wp-hackers] $wpdb->prepare and dynamic field names

Steve Taylor steve at sltaylor.co.uk
Wed Mar 2 21:45:10 UTC 2011


Following from Mark Jaquith's handy presentation
(http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/),
I'm scouring my themes and plugins to check the security measures.

One issue so far. I have a query like this:

$field = $wpdb->get_results("
	SELECT	meta_value
	FROM	$table
	WHERE	meta_key	= '$key'
	AND		$id_field	= $id
	LIMIT		0, 1
");

It's just checking whether a custom field is set for a specific object
(a post or user - hence the dynamic table and ID field references,
which are decided before this query).

If I use $wpdb->prepare, what would I do with $table and $id_field.
Wouldn't using %s automatically stick quotes around them and
invalidate the query?

cheers,

Steve Taylor


More information about the wp-hackers mailing list