I am wondering if wordpress' insert function also adds slashes to data. If it doesn't it would seem that the prepare query method would be better to prevent against SQL injection. I tried looking the issue up in there codex/api; however, it seems undocumented. Thanks!
相关问题
- Views base64 encoded blob in HTML with PHP
- Laravel Option Select - Default Issue
- PHP Recursively File Folder Scan Sorted by Modific
- Can php detect if javascript is on or not?
- Using similar_text and strpos together
This question is a little old and the codex may have been updated since it was asked. Both
wpdb->insert()
andwpdb->prepare()
provide the same level of safety regarding SQL escaping of input data.The codex states that the both the column and data values provided to the insert method should be raw, not SQL escaped.
I also took a quick look at the source to confirm. The implementation for the insert method uses
wpdb->prepare()
.Wordpress uses ezSQL to query the database. Technically, it is not an abstraction layer but it does take away some of the boilerplate code. ezSQL has a function
escape
so I assume that Wordpress would always call the escape function before executing a query. But to be certain you would have to take a look at the source code.This is how you escape a string in Wordpress:
$safe_string = $wpdb->escape($unsafe_string);