I've been reading about sql injection etc and I want to beef up the security on my site.
I've read that queries should have $wpdb->prepare with them...
So, for example,
$wpdb->get_var('SELECT blah FROM blah WHERE something = '.$var.');
$wpdb->get_var($wpdb->prepare('SELECT blah FROM blah WHERE something = %d',$var));
My 2 questions are...
1) Is the above correct formatting for using the ->prepare statement?
2) When is $wpdb->prepare to be used? Is it on EVERY sql statement? Or just certain ones?
Many thanks for any light you can shed on this.