How do I escape a table name or column name in SQL? esc_sql doesn’t do this

Question

If you want to escape string values in an SQL query, you can use WordPress’s esc_sql function:

<?php

$wpdb->get_var( "SELECT * FROM something WHERE foo = '" . esc_sql( $foo ) . "'" );

You can also use the much more convenient prepare function like this:

<?php

$wpdb>-get_var(
    $wpdb->prepare(
        "SELECT * FROM something WHERE foo = %s",
        $foo
    )
);

However, esc_sql is not suitable for escaping table names or column names, (only string values). And there is no way to use prepare for escaping table names or column names.

How can I escape $foo and $bar properly in this example SQL query?

SELECT * FROM $foo WHERE $bar = "example";
0
Flimm 3 months 0 Answers 9 views 0

Leave an answer