I’ve been reading about sql injection etc and I want to beef up the security on my site.
I’ve read that queries should have $wpdb->prepare with them…
So, for example,
$wpdb->get_var('SELECT blah FROM blah WHERE something = '.$var.');
$wpdb->get_var($wpdb->prepare('SELECT blah FROM blah WHERE something = %d',$var));
My 2 questions are…
1) Is the above correct formatting for using the ->prepare statement?
2) When is $wpdb->prepare to be used? Is it on EVERY sql statement? Or just certain ones?
Many thanks for any light you can shed on this.
- The topic ‘when to use $wpdb->prepare?’ is closed to new replies.