[wp-hackers] wpdb->prepare with variables for table and keys

Otto otto at ottodestruct.com
Wed May 5 13:48:38 UTC 2010


A prepare like that handles the quoting for you. So your table and
field names get quoted, which naturally won't work.

In short, yes, the %s %d stuff should only be used for values. That
is, the right hand side of the = bits.

-Otto




On Wed, May 5, 2010 at 8:42 AM, Olivier <autremonde75 at gmail.com> wrote:
> Hello,
>
> I am trying to perform a query like this :
> $count = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM %s WHERE
> %s = %s",$table,$idkey,$idvalue));
>
> But it doesn't work, I have to end up doing this to have it work which
> means that $type and $idfield won't be escaped before performing the
> query and thus have to be verified before :
> $count = $wpdb->get_var($wpdb->prepare("SELECT COUNT(*) FROM $type
> WHERE $idfield = %s",$idvalue));
>
> So my question is "simple" : is the %s, %d, %% syntax to be used only
> for the values in the WHERE statments?
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>


More information about the wp-hackers mailing list