[wp-hackers] $wpdb->prepare and dynamic field names
Steve Taylor
steve at sltaylor.co.uk
Wed Mar 2 21:45:10 UTC 2011
Following from Mark Jaquith's handy presentation
(http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/),
I'm scouring my themes and plugins to check the security measures.
One issue so far. I have a query like this:
$field = $wpdb->get_results("
SELECT meta_value
FROM $table
WHERE meta_key = '$key'
AND $id_field = $id
LIMIT 0, 1
");
It's just checking whether a custom field is set for a specific object
(a post or user - hence the dynamic table and ID field references,
which are decided before this query).
If I use $wpdb->prepare, what would I do with $table and $id_field.
Wouldn't using %s automatically stick quotes around them and
invalidate the query?
cheers,
Steve Taylor
More information about the wp-hackers
mailing list