[wp-hackers] $wpdb: columns with digit names

Andrew Nacin wp at andrewnacin.com
Sat Apr 7 06:30:06 UTC 2012

On Apr 5, 2012 4:35 AM, "David Gard" <dgard at dynedrewett.com> wrote:
> First off, for the query, try this code. WP will prepare it correctly for
a MySQL query then -
> $query = "SELECT * FROM "{DBNAME}" WHERE id = '{$target}'";
> print_r( $wpdb->get_row( $wpdb->prepare( $query, ARRAY_A ) ) );

Eek. That query is insecure and not "prepared".

prepare() does not take ARRAY_A, get_row() does. What you want is to use %s
or %d in a query string, then pass prepare additional arguments for those
placeholders. It's like sprintf().

prepare() is not magic.


$query = "select * from sometable where id = %d";
$wpdb->get_row( $wpdb->prepare( $query, $id ), ARRAY_A ) );


More information about the wp-hackers mailing list