[wp-trac] Re: [WordPress Trac] #5145: Proper use of prepared statements

WordPress Trac wp-trac at lists.automattic.com
Fri Oct 5 14:27:15 GMT 2007 

#5145: Proper use of prepared statements
---------------------+------------------------------------------------------
 Reporter:  xknown   |        Owner:  markjaquith
     Type:  defect   |       Status:  assigned   
 Priority:  normal   |    Milestone:  2.4        
Component:  General  |      Version:             
 Severity:  normal   |   Resolution:             
 Keywords:           |  
---------------------+------------------------------------------------------
Comment (by santosj):

 I think the problem is that instead of defeating the purpose of even
 having the function, the variables should be '''outside''' the string and
 instead also used the {{{%{whatever}}}}.

 {{{
 $wpdb->prepare(
         "UPDATE IGNORE $wpdb->posts SET
         post_author = '$post_author',
         post_date = '$post_date',
         post_date_gmt = '$post_date_gmt',
         post_content = '$post_content',
         post_content_filtered = '$post_content_filtered',
         post_title = '$post_title',
         post_excerpt = '$post_excerpt',
         post_status = '$post_status',
         post_type = '$post_type',
         comment_status = '$comment_status',
         ping_status = '$ping_status',
         post_password = '$post_password',
         post_name = '$post_name',
         to_ping = '$to_ping',
         pinged = '$pinged',
         post_modified = '".current_time('mysql')."',
         post_modified_gmt = '".current_time('mysql',1)."',
         post_parent = %d,
         menu_order = '$menu_order'
         WHERE ID = %d"
         , $post_parent, $post_ID ));
 }}}

 should be, like:

 {{{$wpdb->prepare(
         "UPDATE IGNORE $wpdb->posts SET
         post_author = '%s',
         post_date = '%s',
         post_date_gmt = '%s',
         post_content = '$post_content',
         post_content_filtered = '$post_content_filtered',
         post_title = '$post_title',
         post_excerpt = '$post_excerpt',
         post_status = '$post_status',
         post_type = '$post_type',
         comment_status = '$comment_status',
         ping_status = '$ping_status',
         post_password = '$post_password',
         post_name = '$post_name',
         to_ping = '$to_ping',
         pinged = '$pinged',
         post_modified = '".current_time('mysql')."',
         post_modified_gmt = '".current_time('mysql',1)."',
         post_parent = %d,
         menu_order = '$menu_order'
         WHERE ID = %d"
         , $post_author, $post_date, $post_date_gmt, ..., $post_parent,
 $post_ID ));
 }}}

 And so on and so forth.

 I think the whole concept is being defeated by using it for numeric values
 when you could use {{{$post_author, $post_date, $post_date_gmt, ..., (num)
 $post_parent, (num) $post_ID ));}}}

-- 
Ticket URL: <http://trac.wordpress.org/ticket/5145#comment:5>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software

More information about the wp-trac mailing list