$wpdb->update vs $wpdb->query->prepare | WordPress.org

seblg
(@seblg)

10 years, 3 months ago

Hi,

My plugin (http://ostenta.fr/yawpp/index_en.html) has been temporarily withdrawn due to a security issue. (SQL injection)

I tried to fix it but I recieved a new mail because I wasn’t using prepare() to update rows in the DB.

Actualy, I’m using update() function.

What is the best way to update a rows?

Viewing 1 replies (of 1 total)

Moderator bcworkz
(@bcworkz)

10 years, 3 months ago

You might want to ask for clarification. You do not use $wpdb->prepare() before using $wpdb->update(). The final line of the update method is:
return $this->query( $this->prepare( $sql, array_merge( array_values( $data ), array_values( $where ) ) ) );

In plain language, $wpdb->update() calls $wpdb->prepare() for you. If you used prepare as well, the data would be double escaped.

Viewing 1 replies (of 1 total)

The topic ‘$wpdb->update vs $wpdb->query->prepare’ is closed to new replies.

In: Hacks
1 reply
2 participants
Last reply from: bcworkz
Last activity: 10 years, 3 months ago
Status: not resolved

Topics

Topics with no replies

Non-support topics

Resolved topics

Unresolved topics

All topics