Wordpress: wpdb-> insert versus wpdb-> prepare (wpdb-> query ("INSERT

Question

Wordpress: wpdb-> insert versus wpdb-> prepare (wpdb-> query ("INSERT

I am wondering if the wordpress' insert function adds also slashes to the data. If this is not the case, it seems that the prepare request method would be better at preventing SQL injection. I tried looking for the problem there codex / api; however, this does not seem to be documented. Thanks!

+4

database php sql-injection wordpress

Parris Mar 05 '10 at 18:34

source share

2 answers

This question is a bit old, and the code may have been updated since its request. Both wpdb->insert() and wpdb->prepare() provide the same level of security as the SQL output from the input.

codex claims that the column and data values provided to the insert method must be raw, not SQL escaped.

I also quickly looked at the source to be confirmed. The implementation of the insert method uses wpdb->prepare() .

+12

Kenb Apr 16 '13 at 15:11

source share

Drdeee · Accepted Answer · 2010-03-05T18:56:48+0000

Wordpress uses ezSQL to query the database. Technically, this is not a level of abstraction, but it takes part of the template code. ezSQL has an escape function, so I assume that Wordpress always called the escape function before executing the query. But to be sure, you need to take a look at the source code.

Here's how you avoid a line in Wordpress:
$safe_string = $wpdb->escape($unsafe_string);

Wordpress: wpdb-> insert versus wpdb-> prepare (wpdb-> query ("INSERT

More articles: