Need Help Placing $wpdb->prepare

  • Jaspreet Singh

    (@discor)


    2 years, 7 months ago

    I need help with checking on where to place “$wpdb->prepare” in the following queries 

    
$table_name = $wpdb->prefix . 'wdplugin_widget';
$wpdb->query("ALTER TABLE $table_name ADD COLUMN successUrl TEXT DEFAULT '' NOT NULL");

$table_name = $wpdb->prefix . "wdplugin_a_key";
$sql = "DROP TABLE IF EXISTS " . $table_name . "";
$wpdb->query($sql);

$table_name = $wpdb->prefix . "wdplugin_a_key";
$result = $wpdb->get_results("SELECT * FROM $table_name", ARRAY_A);

$table_name = $wpdb->prefix . "wdplugin_a_key";
$result = $wpdb->get_results("SELECT id from $table_name WHERE id IS NOT NULL");

$table_name = $wpdb->prefix . "wdplugin_a_key";
$retrieve_data = $wpdb->get_results("SELECT * FROM $table_name WHERE id = 1");

$table_name = $wpdb->prefix . "wdplugin_s";
$reponse = $wpdb->delete($table_name, array('id' => $id), array('%d'));

$table_name = $wpdb->prefix . "wdplugin_s";
$result = $wpdb->get_results("SELECT * FROM $table_name", ARRAY_A);

$table_name = $wpdb->prefix . "wdplugin_a_key";
$result = $wpdb->get_results("SELECT id FROM $table_name WHERE id IS NOT NULL");

$table_name = $wpdb->prefix . 'wdplugin_a_key';
$retrieve_data = $wpdb->get_results("SELECT * FROM $table_name WHERE id = 1");

$config_widget_table = $wpdb->prefix . 'wdplugin_widget';
$reponse = $wpdb->delete($config_widget_table, array('id' => $id), array('%d'));

$style_table = $wpdb->prefix . 'wdplugin_s';
$config_widget_table = $wpdb->prefix . 'wdplugin_widget';

$style_table = $wpdb->prefix . 'wdplugin_s';
$reponse = $wpdb->delete($style_table, array('id' => $id), array('%d'));

$config_widget_table = $wpdb->prefix . 'wdplugin_widget';
$success = $wpdb->update(
        $config_widget_table,
        array(
            'pluginStyle' => 'Default'
        ),
        array(
            'styleId' => $id
        ),
        array(
            '%s'
        ),
        array(
            '%d'
        )
);

$configWidget = $wpdb->prefix . 'wdplugin_widget';
$wpdb->get_var("SHOW TABLES LIKE '$configWidget'")

$table_name = $wpdb->prefix . "wdplugin_s";
$success = $wpdb->insert($table_name, array("apiKey" => $key, "username" => $username, "email" => $email), array('%s', '%s', '%s'));

$table_name = $wpdb->prefix . "wdplugin_s";
$response = $wpdb->delete($table_name, array('id' => $id), array('%d'));

$table_name = $wpdb->prefix . "wdplugin_s";
$success = $wpdb->insert(
            $table_name,
            array(
                'styleName' => $styleName,
                'oneTimeCheck' => $oneTimeCheck,
                'monthlyCheck' => $monthlyCheck
            ),
            array(
                '%s',
                '%d',
                '%d',
            )
);

$table_name = $wpdb->prefix . "wdplugin_s";
$sql = "DROP TABLE IF EXISTS " . $table_name . "";
$wpdb->query($sql);

    Please help. According to documentation i need to place prepare only with placeholders or dynamic values. But there is still something wrong according to reviewer.

Viewing 1 replies (of 1 total)
  • iFlair Web Technologies Pvt.

    (@jinalshah)

    2 years, 7 months ago

    It’s best practice to always use prepare but the main use of it is to prevent against SQL injection attacks, and since there is no input from the users/visitors or they can’t effect the query then that is not an issue in your current example.

    But like I said before it’s best practice to use it and once you start using it you never stop, so in your example you can use it like so:
    Use prepare where you define query like

    $wpdb->query("ALTER TABLE $table_name ADD COLUMN successUrl TEXT DEFAULT '' NOT NULL");

    To

    $wpdb->prepare("ALTER TABLE $table_name ADD COLUMN successUrl TEXT DEFAULT '' NOT NULL");

    change all statement where you use query.

Viewing 1 replies (of 1 total)

The topic ‘Need Help Placing $wpdb->prepare’ is closed to new replies.