WPDB to support %i in 6.1 #103
Description
The Formatting SQL Statements section currently includes a paragraph on string and integer placeholders:
%sis used for string placeholders and%dis used for integer placeholders. Note that they are not 'quoted'!$wpdb->prepare()will take care of escaping and quoting for us. The benefit of this is that it is easy to see at a glance whether something has been escaped or not because it happens right when the query happens.
Is it worth adding that (when WordPress 6.1 is available) developers will be able to use %i for Identifiers (e.g. field and table names)?
Maybe this should be a separate paragraph? and maybe only added when 6.1 is released in October?
The intention is to avoid the risky feature where WordPress does not quote string/integer/float placeholders when they contain argnum/format, something that can be used today when (incorrectly) trying to use a variable for field/table names, e.g.
$field = 'bad`quoting';
$value = '5 AND 1=1';
$wpdb->prepare( 'WHERE `%1$s` = %2$s', $field, $value ); // WHERE `bad`quoting` = 5 AND 1=1This relates to WordPress Ticket #52506, Changeset #53575, and Pull Request #2072 for WordPress-Coding-Standards (thanks to Juliette, who has done a nice writeup about it, and pointed me to this repo).