From 32fe3c4b62d54aa4e82d03d71979685a2bd2e677 Mon Sep 17 00:00:00 2001 From: Jay McPartland <2131911+jaymcp@users.noreply.github.com> Date: Tue, 23 Jul 2024 10:37:46 +0100 Subject: [PATCH] [Documentation]: WordPress.DB.PreparedSQL (#2454) * Docs: add documentation for WordPress.DB.PreparedSQL --------- Co-authored-by: Juliette <663378+jrfnl@users.noreply.github.com> --- WordPress/Docs/DB/PreparedSQLStandard.xml | 51 +++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 WordPress/Docs/DB/PreparedSQLStandard.xml diff --git a/WordPress/Docs/DB/PreparedSQLStandard.xml b/WordPress/Docs/DB/PreparedSQLStandard.xml new file mode 100644 index 000000000..d58d61769 --- /dev/null +++ b/WordPress/Docs/DB/PreparedSQLStandard.xml @@ -0,0 +1,51 @@ + + + + prepare() to escape and quote the contents of variables. This prevents SQL injection. + Use placeholders for all variables used in the query. You should not use variable interpolation or concatenation. + ]]> + + + + prepare( + 'SELECT * from table + WHERE field = %s', + $_GET['foo'] +); + ]]> + + + query( + "SELECT * from table + WHERE field = {$_GET['foo']}" +); + ]]> + + + + + + prepare( + 'SELECT * from table + WHERE field = %s', + $value +); + ]]> + + + get_results( + "SELECT * from table + WHERE field = " . $value +); + ]]> + + +