Hello,
So I have had an item soft rejected again because I need to prepare all SQL queries. However, one of the queries that the review team wants me to prepare has no “Unknown variables”
An example for one of the warnings:
$count = $wpdb->get_var( "SELECT COUNT(key_id) FROM {$wpdb->prefix}userisle_api_keys WHERE 1 = 1;" );
Maybe someone with a better understanding of WordPress code standards can tell me how to prepare this statement? It has no variables! It is just counting all keys from the table. But the review team include this to me and want me to prepare it? WordPress prepare function requires 2 arguments, with the second argument containing variables.
I’m really confused. In another scenario, one of the warnings is to prepare:
$count = $wpdb->get_var( "SELECT COUNT(key_id) FROM {$wpdb->prefix}userisle_api_keys WHERE 1 = 1 {$search};" );
Yes, $search is a variable. But a few lines before that line, you can see that:
$search = '';
if ( ! empty( $_REQUEST['s'] ) ) {
$search = "AND description LIKE '%" . esc_sql( $wpdb->esc_like( wui_clean( wp_unslash( $_REQUEST['s'] ) ) ) ) . "%' ";
}
It’s escaped. Following WordPress coding standards. I mean, seriously?
Maybe someone can help me prepare these statements? WordPress itself does not prepare statements where there’s no unknown variables.
Best,
Ahmed