[wp-trac] [WordPress Trac] #9505: Strangeness in wpdb::update() and
escaping table names in wpdb::update() and wpdb::insert()
WordPress Trac
wp-trac at lists.automattic.com
Fri Apr 10 21:29:51 GMT 2009
#9505: Strangeness in wpdb::update() and escaping table names in wpdb::update()
and wpdb::insert()
--------------------------+-------------------------------------------------
Reporter: mdawaffe | Owner: mdawaffe
Type: defect (bug) | Status: new
Priority: normal | Milestone: 2.8
Component: General | Version: 2.8
Severity: normal | Keywords: has-patch dev-feedback
--------------------------+-------------------------------------------------
In wpdb::update(), we do not enclose columns from the $where argument
inside backticks. It seems this was intentional (#5178). Perhaps to
allow the following?
{{{
$wpdb->update( 'table', array( 'foo' => 'bar' ), array( 'ID < 4' => 1 ),
null, array( '%d' ) );
}}}
Which would execute the following SQL query.
{{{
UPDATE table SET `foo` = 'bar' WHERE ID < 4 = 1
}}}
Do we really want to support strangeness like that?
As update() and insert() were designed to simplify the execution of simple
queries, I don't see why we should try to simplify complicated queries
like the above.
I suggest enclosing the columns from $where in backticks.
I also think we should include backticks around $table in both update()
and insert().
If people need more complicated queries, they can use
{{{
$wpdb->query( $wpdb->prepare( ... ) );
}}}
Thoughts?
--
Ticket URL: <http://core.trac.wordpress.org/ticket/9505>
WordPress Trac <http://trac.wordpress.org/>
WordPress blogging software
More information about the wp-trac
mailing list