Correct use of wpdb->prepare
-
I noticed the plugin uses wpdb->prepare incorrectly; wpdb->prepare is used to safely inject variables in a query. Without variables to inject, you don’t need wpdb->prepare;
- $row_count = $wpdb->get_var( $wpdb->prepare( $query ) ); + $row_count = $wpdb->get_var( $query );
and when using variables in a query in wpdb->prepare, don’t place the variables in the query, but use prepare for that.
-$taxonomyid=$wpdb->get_var($wpdb->prepare("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy where term_id=$termid")); +$taxonomyid=$wpdb->get_var($wpdb->prepare("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy where term_id=%d", $termid));
patch available here: https://www.dropbox.com/s/5lrtrrzd56ftd6d/media-library-categories_correct-use-of-wpdb-prepare.patch?dl=0
Hoping to be of service,
Remon
Viewing 2 replies - 1 through 2 (of 2 total)
Viewing 2 replies - 1 through 2 (of 2 total)
- The topic ‘Correct use of wpdb->prepare’ is closed to new replies.