Recommended WP Core INSERT Query Method

  • WebTechGlobal

    (@webtechglobal)


    9 years, 10 months ago

    My data importer accepts any .csv file. So I cannot predict the number of columns or their titles/headers.

    WP core insert() does not escape single quotes despite everything I read indicating that using $wpdb->insert() prepares the INSERT. The codex states the following but the only way to avoid a MySQL error is to escape individual values…

    (array) Data to insert (in column => value pairs). Both $data columns and $data values should be “raw” (neither should be SQL escaped).

    What would be the recommended approach to using prepare() and possibly PDO within the WordPress environment? Keeping in mind I would need to add a number of placeholders based on the users .csv file.

    I’m considering eval() to build the prepare() line but surely that is not safe?

    mysql_real_escape_string() allows the import, escaping single quote, however it is depreciated.

    Thanks community.

Viewing 1 replies (of 1 total)
  • Moderator bcworkz

    (@bcworkz)

    9 years, 10 months ago

    $wpdb->insert() really does call $wpdb->prepare() internally, so something else is going on. I’m able to use $wpdb->insert() to place unescaped data containing single quotes without any issue in a quick test. I suspect there’s something wrong with how your data is being setup for $wpdb->insert(). Try var_dumping the data (and format if applicable) array provided to $wpdb->insert() from a simple .csv file that includes single quotes in the string values. It should be apparent what the problem is.

    The var_dump output may look a little strange, for example:
    'column_name' => string 'O'Brien' (length=7)
    the 3 single quotes is OK, the outer single quotes are an artifact of the var_dump output, which does not need to fit PHP syntax rules. (“O’Brien” is the test value I used to check $wpdb->insert())

Viewing 1 replies (of 1 total)

The topic ‘Recommended WP Core INSERT Query Method’ is closed to new replies.