Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proper and standard use of $wpdb->prepare #2442

Closed
farhadsakhaei opened this issue Apr 9, 2024 · 4 comments
Closed

Proper and standard use of $wpdb->prepare #2442

farhadsakhaei opened this issue Apr 9, 2024 · 4 comments
Labels
Type: Question

Comments

@farhadsakhaei
Copy link

farhadsakhaei commented Apr 9, 2024
edited

Hi,

Bug Description

I am developing a plugin and I use WordPress standard (Code Sniffer)
But I get the following standard error on this code
I need to know how can I use $wpdb->prepare in the following code to pass the standard?

Minimal Code Snippet

$get_order = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM {$table_name} WHERE order_id = %d", $order_id ) );

I get this error:

Use placeholders and $wpdb->prepare(); found interpolated variable {$table_name} at "SELECT * FROM {$table_name} WHERE order_id = %d"

“code”: “WordPress.DB.PreparedSQL.InterpolatedNotPrepared”,
“severity”: 8,
“message”: “Use placeholders and $wpdb->prepare(); found interpolated variable {$table_name} at \”SELECT * FROM {$table_name} WHERE order_id = %d\””,
“source”: “PHPCS”,

Could you please mention a standard way of using $wpdb->prepare containing a table name variable?
When I use table name as a place holder in $wpdb->prepare, I get another SQL error because it adds ' sign around the table name!!

Thank you for any help
@dingo-d
Copy link
Member

dingo-d commented Apr 9, 2024

If this is a custom table name, you can either pass it as a parameter to the prepare statement or use:

"SELECT * FROM {$wpdb->prefix}_table_name WHERE..."

the table name could be something like wc_orders_meta.

You'll still get the Use of a direct database call is discouraged. (WordPress.DB.DirectDatabaseQuery.DirectQuery) error.

I'd recommend using native WooCommerce (from the looks of the DB query) functions to get information about the order like

$order = wc_get_order( $order_id );

@dingo-d dingo-d closed this as not planned Won't fix, can't repro, duplicate, stale Apr 9, 2024
@farhadsakhaei
Copy link
Author

farhadsakhaei commented Apr 9, 2024
edited

Hi @dingo-d, Thank you for your reply,

As you can see I used {$table_name} in the string,
I can't use table name as a place holder in $wpdb->prepare because I get SQL error (because of adding ' sign around name)
And this is not a Woocommerce plugin
Still I get ERROR, Not Warning:

[{
	"code": "WordPress.DB.PreparedSQL.InterpolatedNotPrepared",
	"severity": 8,
	"message": "Use placeholders and $wpdb->prepare(); found interpolated variable {$table_name} at \"SELECT * FROM {$table_name} WHERE order_id = %d\"",
	"source": "PHPCS"
}]

@dingo-d
Copy link
Member

dingo-d commented Apr 9, 2024

Take a look at this update.

You can use this:

$table_name = 'your_table_name';
$field = 'order_id';
$order_id = ''; // Your order ID.

$get_order = $wpdb->get_results( $wpdb->prepare( "SELECT * FROM %i WHERE %i = %d", $table_name, $field, $order_id ) );

@farhadsakhaei
Copy link
Author

@dingo-d
Great, Thank you so much for your help

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dingo-d @farhadsakhaei