Hi I have a wordpress plugin and I want to ask something, is prepare required for database operations before sending to envato? Or for which it is mandatory for which ones.
Because somewhere, prepare prevents my code from running and I don’t get data from the user. I get data from the page on wp-admin with get.
Output prepare:
SELECT * FROM wp_lsph_search_words ORDER BY ‘how_much_searched_total’ ‘desc’
(if you’re reading this in your email client, please read it in the forums, to see the code formatted correctly)
First of all, never pass variables you’re getting from the user’s input (_GET, _POST) without escaping them properly. Not escaping them can lead to major SQL injection attacks. When working with such variables, follow the rule “Trust nobody, trust nothing!”. Always escape and validate your variables before passing them to SQL statements.
So, to escape your variables, first you’ll have to do something like this:
Second, you’re getting that incorrect prepare output because wpdb->prepare always quotes the variables. So, you don’t have to use $wpdb->prepare() for ORDER BY clauses. To add ORDER and ORDER BY variables, you only have to concatenate them to the SQL statement like this:
$sql = "SELECT * FROM $lsph_table ORDER BY " . $orderby . " " . $order;
$query = $wpdb->prepare( $sql );
$searched_list = $wpdb->get_results( $query );
Third, again, wpdb->prepare is used also to prevent SQL injection attacks. And it is mandatory before executing a query. Based on the same principle “Trust nobody”.