[wp-trac] [WordPress Trac] #54042: Extending wpdb::prepare() to support table/field names, and IN() operator
WordPress Trac
noreply at wordpress.org
Mon Sep 13 15:05:49 UTC 2021
#54042: Extending wpdb::prepare() to support table/field names, and IN() operator
--------------------------+------------------------------
Reporter: craigfrancis | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Database | Version: trunk
Severity: normal | Resolution:
Keywords: has-patch | Focuses:
--------------------------+------------------------------
Comment (by craigfrancis):
Thank you @ocean90, I completely missed the ticket regarding table names.
In regards to the `IN` operator, thanks again, I hadn't realised the
Coding-Standards suggested using:
{{{
#!php
$where = $wpdb->prepare(
sprintf(
"post_type IN (%s)",
implode( ',', array_fill( 0, count($post_types), '%s' ) )
),
$post_types
);
}}}
But I still think this would be easier/safer:
{{{
#!php
$where = $wpdb->prepare( 'post_type IN (%...s)', $post_types );
}}}
It also means the `$query` argument to `$wpdb->prepare()` could use the
`literal-string` type that's now available in
[https://github.com/vimeo/psalm/releases/tag/4.8.0 Psalm 4.8.0] and
[https://github.com/phpstan/phpstan/releases/tag/0.12.97 PHPStan 0.12.97]
(and will hopefully be added to PHP in the future), doing this allows us
to avoid unsafe-variable concatenation and escaping mistakes.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/54042#comment:3>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list