With WordPress esc_sql() it says…
Note: Be careful to use this function correctly. It will only escape values to be used in strings in the query. That is, it only provides escaping for values that will be within quotes in the SQL (as in field = ‘{$escaped_value}’). If your value is not going to be within quotes, your code will still be vulnerable to SQL injection. For example, this is vulnerable, because the escaped value is not surrounded by quotes in the SQL query: ORDER BY {$escaped_value}. As such, this function does not escape unquoted numeric values, field names, or SQL keywords.
if I do a query like so..
$tablename = TABLE_NAME;//<- define('TABLE_NAME', 'MyTableName');
$wpdb->query("DELETE * FROM ".esc_sql($tablename)." WHERE Var='".esc_sql($Var)."'");Will I be protected if I use back-ticks when inserting the table name the same as I would with the single quotes for the Var value?
TIA,
designdrumm
I am unable to delete some rows from wp_options using $wpdb->query:
$wpdb->query($wpdb->prepare("DELETE FORM $wpdb->options WHERE option_name LIKE %s",'_transient_%'));
There is no error and I can’t figure out what the problem is …
Any help will be appreciated.
]]>I’m tearing my hair out here – I’m assuming I have a typo but not sure.
function cat_has_products($id) {
global $wpdb;
$id = trim($id);
$sql = "SELECT term_taxonomy_id from wp_term_taxonomy where term_id = $id;";
$termtaxid = $wpdb->get_var ($wpdb->prepare( $sql) );
echo "ID = $id <br>";
echo "Term id = $termtaxid <br>" ;
$catprodcount = $wpdb->get_var ($wpdb->prepare( "select count(object_id) from $wpdb->term_relationships where term_taxonomy_id = $termtaxid;") );
echo "Count is : <br>" . $catprodcount;
//return $catprodcount;
}Typical output is as follows
ID = 96
Term id =
Count is :
where 96 is the value passed to the function.
]]>$wpdb->query("SELECT id from wp_posts")$wpdb->get_col("SELECT id FROM wp_posts",0);$wpdb->query("INSERT INTO wp_reg (ID, slname, sfname, plname, pfname, email, phone, cellphone) VALUES (NULL, $slname, $sfname, $plname, $pfname, $email, $phone, $cellphone)");
Can someone who knows more about PHP, MySQL, and the $wpdb class help me figure out how to get this to work? (And if there’s nothing wrong with the code, might there be something wrong with how the database is set up that would prevent new records being inserted?)
Thanks!
]]>I am now attempting to add data to the database, but it seems no matter how many times I submit the data, nothing is added to the database.
Here is the code that I’m using:
$sql = "INSERT INTO " . $wpdb->prefix . "table_name
(table_row_name, table_row_2, table_row_3) VALUES (
'" . $wpdb->escape($_POST['table_row_name']) . "',
'" . $wpdb->escape($_POST['table_row_2']) . "',
'" . $wpdb->escape($_POST['table_row_3']) . "'
)";
$wpdb->query($sql);As stated in the WordPress documentation about working with databases, I have included the following lines of code beforehand:
include_once(ABSPATH . 'wp-config.php');
include_once(ABSPATH . 'wp-includes/wp-db.php');I am definitely missing something here, but I am lost as to what. I’ve ensured that the SQL statement is complete with the values that are passed from the form (echoed the $sql variable on the “results” page). I don’t get any errors, but am completely lost as to what is going on. Any pointers?
]]>Do I use $wpdb->query? or something else?
TIA
Sheri
]]>