• I noticed the plugin uses wpdb->prepare incorrectly; wpdb->prepare is used to safely inject variables in a query. Without variables to inject, you don’t need wpdb->prepare;

    -				$row_count = $wpdb->get_var( $wpdb->prepare( $query ) );
    +				$row_count = $wpdb->get_var( $query );

    and when using variables in a query in wpdb->prepare, don’t place the variables in the query, but use prepare for that.

    -$taxonomyid=$wpdb->get_var($wpdb->prepare("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy where term_id=$termid"));
    +$taxonomyid=$wpdb->get_var($wpdb->prepare("SELECT term_taxonomy_id FROM $wpdb->term_taxonomy where term_id=%d", $termid));

    patch available here: https://www.dropbox.com/s/5lrtrrzd56ftd6d/media-library-categories_correct-use-of-wpdb-prepare.patch?dl=0

    Hoping to be of service,
    Remon

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author jeffrey-wp

    (@jeffrey-wp)

    Hi Remon,

    I think you’ve got me confused with an other plugin. The code you posted does not exist in my plugin. Nor do the files media-categories.php and sort.php.
    I’ve also checked the use of $wpdb->prepare in my plugin and its used the safe way.

    • This reply was modified 8 years, 5 months ago by jeffrey-wp.
    Thread Starter Internetbureau Clearsite

    (@clearsite)

    Well, this is embarrassing …

    I apologise, I will try and find the co-worker who posted this and ask him/her about it.

    In the mean time, thank you for your response and sorry for wasting your time.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Correct use of wpdb->prepare’ is closed to new replies.