Is prepare needed for insert query?

Hi Lorax!

There’s never a circumstance in which it’s a bad idea to use Prepare. Use it when you Insert, Select, Update, and Delete. You want to be protected in all circumstances from SQL injection, not just some.

I’ve also found that using prepared statements helps organize your code better and force you to be more intentional on when and how you’re interacting with the database — as opposed to executing SQL here and there whenever it seems convenient.

Hope this helps!

Thanks Jason,
I agree and would prefer to use it but I’m having a bit of trouble with

<ul>
<li>syntax on a Select *</li>
<li>how to check to see if it's working</li>
</ul>

[Moderator Note: Please post code & markup between backticks or use the code button. Your posted code may now have been permanently damaged by the forum’s parser.]

Apologies.

If you’re using $wpdb->query( "INSERT INTO ..." ) then you need to prepare things. But nearly all insertions can simply be done by $wpdb->insert(), which does not require a prepare as that is done internally.

Perfect. Thanks Andrew. Would the same be true of $wpdb->update — that’s taken care of internally?

For anyone that reads this thread these were helpful:

Data Validation (codex)
Data Sanitation and Validation (external)