[wp-hackers] $wpdb: columns with digit names
Andrew Nacin
wp at andrewnacin.com
Sat Apr 7 06:30:06 UTC 2012
On Apr 5, 2012 4:35 AM, "David Gard" <dgard at dynedrewett.com> wrote:
>
> First off, for the query, try this code. WP will prepare it correctly for
a MySQL query then -
>
> $query = "SELECT * FROM "{DBNAME}" WHERE id = '{$target}'";
> print_r( $wpdb->get_row( $wpdb->prepare( $query, ARRAY_A ) ) );
Eek. That query is insecure and not "prepared".
prepare() does not take ARRAY_A, get_row() does. What you want is to use %s
or %d in a query string, then pass prepare additional arguments for those
placeholders. It's like sprintf().
prepare() is not magic.
So:
$query = "select * from sometable where id = %d";
$wpdb->get_row( $wpdb->prepare( $query, $id ), ARRAY_A ) );
Nacin
More information about the wp-hackers
mailing list