Title: johnywhy's Replies | WordPress.org

---

# johnywhy

  [  ](https://wordpress.org/support/users/johnywhy/)

 *   [Profile](https://wordpress.org/support/users/johnywhy/)
 *   [Topics Started](https://wordpress.org/support/users/johnywhy/topics/)
 *   [Replies Created](https://wordpress.org/support/users/johnywhy/replies/)
 *   [Reviews Written](https://wordpress.org/support/users/johnywhy/reviews/)
 *   [Topics Replied To](https://wordpress.org/support/users/johnywhy/replied-to/)
 *   [Engagements](https://wordpress.org/support/users/johnywhy/engagements/)
 *   [Favorites](https://wordpress.org/support/users/johnywhy/favorites/)

 Search replies:

## Forum Replies Created

Viewing 15 replies - 1 through 15 (of 92 total)

1 [2](https://wordpress.org/support/users/johnywhy/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/johnywhy/replies/page/3/?output_format=md)…
[5](https://wordpress.org/support/users/johnywhy/replies/page/5/?output_format=md)
[6](https://wordpress.org/support/users/johnywhy/replies/page/6/?output_format=md)
[7](https://wordpress.org/support/users/johnywhy/replies/page/7/?output_format=md)
[→](https://wordpress.org/support/users/johnywhy/replies/page/2/?output_format=md)

 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[Members - Membership & User Role Editor Plugin] Deny role ability to edit Member roles](https://wordpress.org/support/topic/deny-role-ability-to-edit-member-roles/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years ago](https://wordpress.org/support/topic/deny-role-ability-to-edit-member-roles/#post-17767686)
 * Thanks for that.
 * How can I prevent someone from changing the default role for new users? Currently,
   anyone can set it to Admin. I believe that’s a vulnerability.
 *   Forum: [Plugins](https://wordpress.org/support/forum/plugins-and-hacks/)
    In
   reply to: [[WPvivid — Backup, Migration & Staging] Exclude Users?](https://wordpress.org/support/topic/exclude-users-5/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/exclude-users-5/#post-17141662)
 * I’m not asking to exclude specific users.
 * I’m asking to exclude all users.
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17092183)
 * > But for your use-case, I think custom post type for team members with the Query
   > Loop block would be best.
   >  [@sc0ttkclark](https://wordpress.org/support/users/sc0ttkclark/)
 * Query Loop block is the Answer!
 * thx!
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17092174)
 * I thought you meant, between post-types.
 * Can you be a little more specific?
 * > If you only want to list content that relates to the current context/page, 
   > that’s what I meant.
   >  [@sc0ttkclark](https://wordpress.org/support/users/sc0ttkclark/)
 * example of “content”?
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17092167)
 * Thanks, [@sc0ttkclark](https://wordpress.org/support/users/sc0ttkclark/) . What
   do you mean by “relationships”? Do you mean, between post-types?
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17091795)
 * “Repeater Field” seems to be the common name for this.
 * Pods Repeater plugin might work.
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17090858)
 * Perhaps someone out there knows 🙂
 *   Forum: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/)
   
   In reply to: [Data-Driven Content?](https://wordpress.org/support/topic/data-driven-content/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [2 years, 7 months ago](https://wordpress.org/support/topic/data-driven-content/#post-17090838)
 * Thx, [@sterndata](https://wordpress.org/support/users/sterndata/). You’re encouraging
   me to search plugins. That’s cool!
 * Altho’, your suggested search-terms (“team” and “products”) aren’t related to
   my question at all.
 * More relevant terms are “repeating block patterns”. With that, i found
 * [https://wordpress.org/plugins/superb-blocks/](https://wordpress.org/plugins/superb-blocks/)
 * It’s not apparent that would support my request.
 * Now i’m searching “data blocks”.
 * Does WP’s native block system natively support data-driven, repeating elements/
   blocks? I looked at the Table block, but i didn’t see any way to connect it to
   a data-source. Generally, i always prefer using native features, before installing
   a plugin.
 * It would be great if there was a way to use backend data to feed any parameter
   of any kind of block.
 * Thx!
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
    -  This reply was modified 2 years, 7 months ago by [johnywhy](https://wordpress.org/support/users/johnywhy/).
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160709)
 * > With your experience you should know all about escaping user input, and when
   > it is required.
 * –my experience is desktop, not web, but that’s besides the point. As a database
   developer, I well understand the importance of protecting the database from potential
   sql injection attacks.
 * But we’re talking here specifically about the WordPress function `get_var`, not
   web programming in general. According to what i’ve read, `get_var` does the escaping
   for you automatically, in all cases. I’m trying to get a straight “yes” _or _“
   no” answer on that. You have **failed to answer the OP. **
 * > Yes, and no. The reason for doing this is to get everyone used to using the
   > $wpdb->preapre() function, which will give you more chance of using it when
   > it’s really needed.
 * That’s NOT factual information. It’s **crusading.**
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160689)
 * Yes, I understand what you’re doing. There’s no need to repeat yourself.
 * And that may be very helpful to inexperienced programmers.
 * Those who, like myself, have decades of professional programming experience, 
   will be looking for factual answers.
 * So, while you have good intentions for beginners, you are at the same time insulting,
   misleading, and wasting the time of people who are looking for **correct information.**
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160635)
 * So, you’re definitely saying that SmashingMagazine article is **_incorrect_**.
 * Or, are you?
 * It’s difficult to tell from your answers which are the facts, and which is your
   recommendation. You mix your recommendation together with the facts, so i’m not
   sure which is which.
 * Therefor, i still don’t feel this question has been answered unambiguously.
 * Anyone else out there able to offer a straight answer, without blurring the facts
   with your opinions?
 * thx
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160632)
 * > In some (not many at all) cases it may be acceptable, but for the sake of a
   > few extra CPU cycles to guarantee that your query is safe, there’s no reason
   > not to.
 * ok, i get that you’re campaigning for alway using `prepare`, even in cases where
   it’s not needed. For the sake of straight information, let’s just keep the _facts_
   separate from your recommendation. Let’s be clear that _**`prepare` is only needed
   where there is user-entered data in a variable. **_.
 * Many thanks for providing the _safe _version of my query!
 * thx
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160628)
 * > The only time that you don’t use prepare is when you have something where there
   > is no variables
 * Even if the variables are not user-entered?
 * > I’d also recommend that you use $wpdb->prefix as well instead of hard-coding
   > the prefix in there. Might not make a difference, there’s always a chance.
 * Yes, it’ my intention to do use the table-prefix function. But, a “chance” of
   what?
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160624)
 * very awesome answer.
 * i’m still not understanding your note about “every other value”.
 * i’ve seen some examples which wrap `prepare` around individual terms within the
   sql query, instead of the whole query as you’ve done. Your way is certainly easier
   to write and read. Is there a difference?
 * > The reason for doing this is to get everyone used to using the $wpdb->preapre()
   > function, which will give you more chance of using it when it’s really needed
 * well ok, i’d rather just understand and use it where it needs to be used.
 * thx
 *   Forum: [Hacks](https://wordpress.org/support/forum/plugins-and-hacks/hacks/)
   
   In reply to: [Is `prepare` Required with `get_var`?](https://wordpress.org/support/topic/is-prepare-required-with-get_var/)
 *  Thread Starter [johnywhy](https://wordpress.org/support/users/johnywhy/)
 * (@johnywhy)
 * [10 years, 2 months ago](https://wordpress.org/support/topic/is-prepare-required-with-get_var/#post-7160618)
 * ok, thx for the clarification. Some follow-up:
 * if the WHERE parameter i’m passing into my function is a dropdown selector control
   on the webpage, then that _is_ user-entered data. But, it’s restricted to the
   values in the dropdown picker. i’m wondering if a savvy user could bypass the
   picker, and submit the form with values that are not in the picker (eg `DROP 
   users`). Is that a valid concern with a selector control? i posted the wrong 
   code. THIS is my function. Is it safe with a selector control?
 *     ```
       function bp_Get_FieldgroupID($FieldgroupName){
            global $wpdb;
            $query = "SELECT ID FROM wp_t9s5y8_bp_xprofile_groups WHERE name = '$FieldgroupName'";
            return $wpdb->get_var($query);
       }
       ```
   
 * ====
    is your escaped code an example of escaping “every other value”, as you
   recommended above?
 * > `$query = $wpdb->prepare ("SELECT ID FROM ".$wpdb->posts." WHERE post_title
   > = %s", $_POST ['user_var']);`
 * ====
 * > you should use $wpdb->prepare() for creating almost all SQL queries that you
   > need.
 * Would it be more correct to say, “you should use $wpdb->prepare() for creating**
   all **SQL queries that **include user-entered data.”**
 * thx!

Viewing 15 replies - 1 through 15 (of 92 total)

1 [2](https://wordpress.org/support/users/johnywhy/replies/page/2/?output_format=md)
[3](https://wordpress.org/support/users/johnywhy/replies/page/3/?output_format=md)…
[5](https://wordpress.org/support/users/johnywhy/replies/page/5/?output_format=md)
[6](https://wordpress.org/support/users/johnywhy/replies/page/6/?output_format=md)
[7](https://wordpress.org/support/users/johnywhy/replies/page/7/?output_format=md)
[→](https://wordpress.org/support/users/johnywhy/replies/page/2/?output_format=md)