Menu
I am wondering if wordpress' insert function also adds slashes to data. If it doesn't it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented. Thanks!
772
This question is a little old and the codex may have been updated since it was asked. Both wpdb->insert() and wpdb->prepare() provide the same level of safety regarding SQL escaping of input data.
The codex states that the both the column and data values provided to the insert method should be raw, not SQL escaped.
I also took a quick look at the source to confirm. The implementation for the insert method uses wpdb->prepare().
116
Wordpress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function escape so I assume that Wordpress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.
This is how you escape a string in Wordpress:$safe_string = $wpdb->escape($unsafe_string);
32
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
