Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Add info for preventing injection in WordPress

Also adds a new section called "Applications & Frameworks", which might be useful to consolidate info from other popular PHP applications and frameworks.
  • Loading branch information...
commit 036da47e1f36d744bae973c3fcd04485d0debf0f 1 parent 39904a5
@mjangda mjangda authored
Showing with 18 additions and 0 deletions.
  1. +18 −0 s/
18 s/
@@ -69,3 +69,21 @@ And a shorter way to pass things in.
$dbh = new PDO('mysql:dbname=testdb;host=', $user, $password);
$stmt = $dbh->prepare('UPDATE people SET name = :new_name WHERE id = :id');
$stmt->execute( array('new_name' => $name, 'id' => $id) );
+Applications & Frameworks
+If your site/blog/application is running on [WordPress](, you can use the `prepare` method of the `$wpdb` class, which supports both a sprintf()-like and vsprintf()-like syntax.
+ global $wpdb;
+ $wpdb->query( $wpdb->prepare( "SELECT name FROM people WHERE id = %d OR email = %s", $person_id, $person_email ) );
+For INSERTs, UPDATEs, and DELETEs, you can use the handy helper methods in the class, which allow you to specify the format of the submitted values.
+ global $wpdb;
+ $wpdb->insert( 'people', array( 'person_id' => '123', 'person_email' => '' ), array( '%d', '%s' ) );
+More details on the [WordPress Codex](
Please sign in to comment.
Something went wrong with that request. Please try again.