Is prepare required for Wordpress?

Hi I have a wordpress plugin and I want to ask something, is prepare required for database operations before sending to envato? Or for which it is mandatory for which ones.

Because somewhere, prepare prevents my code from running and I don’t get data from the user. I get data from the page on wp-admin with get.

Output prepare:
SELECT * FROM wp_lsph_search_words ORDER BY ‘how_much_searched_total’ ‘desc’

My code

    $orderby = isset( $_GET['orderby'] ) ? strval( $_GET['orderby'] ) : "how_much_searched_diary";
    $order = isset( $_GET['order'] ) ? strval( $_GET['order'] ) : "DESC";

    global $wpdb;
    $lsph_table = $wpdb->prefix . "lsph_search_words";

    $query = $wpdb->prepare( "SELECT * FROM `$lsph_table` ORDER BY %s %s", array( $orderby, $order ) );
    $searched_list = $wpdb->get_results( $query );


(if you’re reading this in your email client, please read it in the forums, to see the code formatted correctly)

  1. First of all, never pass variables you’re getting from the user’s input (_GET, _POST) without escaping them properly. Not escaping them can lead to major SQL injection attacks. When working with such variables, follow the rule “Trust nobody, trust nothing!”. Always escape and validate your variables before passing them to SQL statements.

    So, to escape your variables, first you’ll have to do something like this:

    $orderby = isset( $_GET['orderby'] ) ? mysql_real_escape_string($_GET['orderby'] : 'how_much_searched_diary';
    $order = isset( $_GET['order'] ) ? mysql_real_escape_string($_GET['order'] : 'DESC';
  2. Second, you’re getting that incorrect prepare output because wpdb->prepare always quotes the variables. So, you don’t have to use $wpdb->prepare() for ORDER BY clauses. To add ORDER and ORDER BY variables, you only have to concatenate them to the SQL statement like this:

    $sql = "SELECT * FROM $lsph_table ORDER BY " . $orderby . " " . $order;
    $query = $wpdb->prepare( $sql );
    $searched_list = $wpdb->get_results( $query );

  3. Third, again, wpdb->prepare is used also to prevent SQL injection attacks. And it is mandatory before executing a query. Based on the same principle “Trust nobody”.


Call to undefined function mysql_real_escape_string() what?

So does wordpress need prepare for wpdb-> insert and wpdb-> update? Because there is no such parameter, it takes the data directly as an array.

In PHP 7 it was removed, but see this:


1 Like

I’m using sanitize_text_field. Thank you.

My post method function Is it okay?

function lsph_post( $post, $type ){

$result = ( isset( $_POST[$post] ) ) ? $_POST[$post] : null;
if ( $type == "str" ) {
    $result = strval( $result );
    if ( ! is_string( $result ) )
        return "invalid";

    $result = sanitize_text_field( $result );

$result = trim( $result );
return $result;