Articles of prepare statement

Using “->” in a page to exceute $wpdb query gives error

I am doing some SQL queries in a WordPress page using the Insert PHP plugin, but the -> object operator changes to -> when I write code in the Text editor, or view in the Visual editor. When I execute the code it says: Parse error: syntax error, unexpected ‘&’ in /home/content/p3pnexwpnas09_data03/81/2766081/html/wp-content/plugins/insert-php/insert_php.php(48) : eval()’d code […]

SELECT query with prepare and placeholder for string

I am trying to learn how to do a simple Select query using $wpdb-prepare. I am checking wether an email submitted by the user is already available in the database. There has to be something wrong with the syntax because the string placeholder is undefined, according to PHPstorm. $mail = $_POST[’email’]; $table = $wpdb->prefix . […]

Proper Prepare Statement for ALTER TABLE and using AFTER

My code for ALTER TABLE doesn’t make use of the prepare() method of $wpdb and so the code needs to be updated properly. There are plenty of examples of query SELECT, etc but couldn’t find something for ALTER TABLE with several options included in the SQL. This is the old code. $post_qry = $wpdb->get_row( “SELECT […]

prepare function sql safe method

I have a curious question about sql injection attack using $wpdb->prepare functions usages. https://codex.wordpress.org/Class_Reference/wpdb#Placeholders this link say prepare method is better to protect sql injection. So I use below code with prepare. $query = $new_wpdb->prepare( “INSERT INTO sym_data ( user_id, country, dob, height, weight, bmi ) VALUES ( %d, %s, %s, %d, %d, %f)”, $user_id, […]

How to use prepare to query with variables

Trying to write a prepare statement that works. This works: $countthem = $wpdb->get_var( “SELECT COUNT(*) FROM wp_cmapg WHERE lang = ‘yes'” ); This does NOT work: $countthem = $wpdb->get_var( $wpdb->prepare( “SELECT COUNT(*) FROM wp_cmapg WHERE lang= %s”, $lang ), 0, 0 ); Also tried: $countthem = $wpdb->get_var( $wpdb->prepare( “SELECT COUNT(*) FROM wp_cmapg WHERE lang LIKE […]

How to correctly pass values to wpdb->prepare()?

Look here: // $term_slugs is a function argument: array(‘foto’, ‘video’) $term_query = “t.slug IN (‘” . implode(“‘,'”,$term_slugs) . “‘) “; $ids = $wpdb->get_results($wpdb->prepare(” SELECT m.meta_value FROM ” . $wpdb->prefix . “posts p INNER JOIN ” . $wpdb->prefix . “postmeta m ON m.post_id = p.ID INNER JOIN ” . $wpdb->prefix . “term_relationships rel ON p.ID = […]

What's wrong with my $wpdb prepare

I can’t get my head around this. I get this error: Parse error: syntax error, unexpected ‘”‘ in 224. The line is this between foreach $html: $html = ”; foreach ( $recent_across_network as $post ) { $html .= ‘blog_id, $post->ID ) . ‘”>’ . $post->post_title . ”; } $html .= ”; Also I get error […]

Quotes in table name

Since WP3.5, prepare() accepts placeholders as a security measure, instead of just appending the argument to the query. Therefore, $wpdb->prefix needs to become a second parameter, called by %s: $count = $wpdb->get_var( $wpdb->prepare( “SELECT COUNT(id) FROM %s WHERE answer !=’ ‘”, $wpdb->prefix . “faq_questions” ) ); However, doing that returns the table name in quotes: […]

Prepared statements used incorrectly in ACF?

I’ve just updated to WP 3.9 and it returns a warning when using placeholders incorrectly. I’ve found some prepared statements written incorrectly, but I really got worried when I saw this in the ACF-plugin (because it’s so widely used): (Take a look at the export.php in the core files of the plugin) // create SQL […]

How to pass orderby params to $wpdb->prepare()?

When passing values like ‘ASC’ or ‘DESC’ to prepare like: […] $order = ‘DESC’; [… (the whole query)], $order); // (as a prepare param) it doesn’t work because the resulting query from something like: […] group_concat(p.id ORDER BY p.post_date %s) Will be: […] group_concat(p.id ORDER BY p.post_date ‘DESC’) While should be: […] group_concat(p.id ORDER BY […]