[wp-hackers] $wpdb->prepare and dynamic field names

Steve Taylor steve at sltaylor.co.uk
Wed Mar 2 23:15:18 UTC 2011

$table and $id_field are hard-coded (as part of a switch). I'm not
that stupid (usually ;-)

I was just in a robot mode and following Mark's advice to escape even
if you "know" stuff is hard-coded. Seemed like good advice - but I
guess this is an instance where it's necessary to leave it be.

Thanks anyway,


On 2 March 2011 22:24, Otto <otto at ottodestruct.com> wrote:
> On Wed, Mar 2, 2011 at 3:45 PM, Steve Taylor <steve at sltaylor.co.uk> wrote:
>> Following from Mark Jaquith's handy presentation
>> (http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/),
>> I'm scouring my themes and plugins to check the security measures.
>> One issue so far. I have a query like this:
>> $field = $wpdb->get_results("
>>        SELECT  meta_value
>>        FROM    $table
>>        WHERE   meta_key        = '$key'
>>        AND             $id_field       = $id
>>        LIMIT           0, 1
>> ");
>> It's just checking whether a custom field is set for a specific object
>> (a post or user - hence the dynamic table and ID field references,
>> which are decided before this query).
>> If I use $wpdb->prepare, what would I do with $table and $id_field.
>> Wouldn't using %s automatically stick quotes around them and
>> invalidate the query?
> Yes it would, however presumably your $table and $id_field are
> hardcoded in some fashion, or at least generated by data that is
> hardcoded into the plugin and not data that comes from the user input.
> Using prepare lets the data be escaped properly, because the data can
> change and sometimes comes from the user input. However your users
> aren't putting in column or tables names, are they? If they are,
> you've got deeper problems.
> -Otto
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list