Support » Fixing WordPress » when to use $wpdb->prepare?

  • Hi all,
    I’ve been reading about sql injection etc and I want to beef up the security on my site.

    I’ve read that queries should have $wpdb->prepare with them…

    So, for example,
    $wpdb->get_var('SELECT blah FROM blah WHERE something = '.$var.');
    $wpdb->get_var($wpdb->prepare('SELECT blah FROM blah WHERE something = %d',$var));

    My 2 questions are…

    1) Is the above correct formatting for using the ->prepare statement?

    2) When is $wpdb->prepare to be used? Is it on EVERY sql statement? Or just certain ones?

    Many thanks for any light you can shed on this.


    John 😉

  • The topic ‘when to use $wpdb->prepare?’ is closed to new replies.