douji6199 2015-05-28 15:00 采纳率: 100%
浏览 54
已采纳

Wpdb prepare调用不正确

I want to prepare my data to avoid SQL Injections. So my current working code to show a list of data from a table's column:

global $wpdb;
$sliders = $wpdb->get_results('SELECT alias, title FROM wp_revslider_sliders', ARRAY_A);

echo '<select name="revslider">';
if ($sliders) {
    foreach($sliders as $slide){
        echo '<option value="'.$slide['alias'].'" '.($select_revslider_shortcode == $slide['alias'] ? 'selected=""' : '').'>'.$slide['title'].'</option>';
    }
}
echo '</select>';

I need to use $wpdb->prepare to be sure that my datas are correctly brought from the db. My current progress:

$sliders = $wpdb->query($wpdb->prepare("SELECT id, alias, title FROM wp_revslider_sliders", ARRAY_A));

This isn't working. I get a notice:

Notice: wpdb::prepare was called incorrectly. The query argument of wpdb::prepare() must have a placeholder.

Can anyone tell me where I'm wrong with my code?

Regards

  • 写回答

1条回答 默认 最新

  • dtef9322 2015-05-28 15:43
    关注

    The prepare method is used to protect against SQL injection. You'd use it when you want to insert variables into your query. It accepts placeholders such as %s for string, %d for integers and %f for floats.

    Your query doesn't have any variables so you don't need the prepare method. You're seeing an error because you aren't using any placeholders.

    https://codex.wordpress.org/Class_Reference/wpdb#Protect_Queries_Against_SQL_Injection_Attacks

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥30 这是哪个作者做的宝宝起名网站
  • ¥60 版本过低apk如何修改可以兼容新的安卓系统
  • ¥25 由IPR导致的DRIVER_POWER_STATE_FAILURE蓝屏
  • ¥50 有数据,怎么建立模型求影响全要素生产率的因素
  • ¥50 有数据,怎么用matlab求全要素生产率
  • ¥15 TI的insta-spin例程
  • ¥15 完成下列问题完成下列问题
  • ¥15 C#算法问题, 不知道怎么处理这个数据的转换
  • ¥15 YoloV5 第三方库的版本对照问题
  • ¥15 请完成下列相关问题!