Skip to content

Commit

Permalink
[Documentation]: WordPress.DB.PreparedSQL (WordPress#2454)
Browse files Browse the repository at this point in the history
* Docs: add documentation for WordPress.DB.PreparedSQL

---------

Co-authored-by: Juliette <[email protected]>
  • Loading branch information
jaymcp and jrfnl authored Jul 23, 2024
1 parent d77b020 commit 32fe3c4
Showing 1 changed file with 51 additions and 0 deletions.
51 changes: 51 additions & 0 deletions WordPress/Docs/DB/PreparedSQLStandard.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
<?xml version="1.0"?>
<documentation xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:noNamespaceSchemaLocation="https://phpcsstandards.github.io/PHPCSDevTools/phpcsdocs.xsd"
title="Prepared SQL"
>
<standard>
<![CDATA[
When querying the database, you should use $wpdb->prepare() to escape and quote the contents of variables. This prevents SQL injection.
Use placeholders for all variables used in the query. You should not use variable interpolation or concatenation.
]]>
</standard>
<code_comparison>
<code title="Valid: Placeholders with $wpdb->prepare() used for all variables in query.">
<![CDATA[
$wpdb->prepare(
'SELECT * from table
WHERE field = <em>%s</em>',
<em>$_GET['foo']</em>
);
]]>
</code>
<code title="Invalid: Interpolated variables used in $wpdb->query().">
<![CDATA[
$wpdb->query(
"SELECT * from table
WHERE field = <em>{$_GET['foo']}</em>"
);
]]>
</code>
</code_comparison>

<code_comparison>
<code title="Valid: Placeholders with $wpdb->prepare() used for all variables in query.">
<![CDATA[
$wpdb->prepare(
'SELECT * from table
WHERE field = <em>%s</em>',
<em>$value</em>
);
]]>
</code>
<code title="Invalid: Concatenation of variables used in $wpdb->*().">
<![CDATA[
$wpdb->get_results(
"SELECT * from table
WHERE field = <em>" . $value</em>
);
]]>
</code>
</code_comparison>
</documentation>

0 comments on commit 32fe3c4

Please sign in to comment.