Register Now

Lost Password

Lost your password? Please enter your email address. You will receive a link and will create a new password via email.

Login

Register Now

Thank you for registering with WPTricks

How do I escape a table name or column name in SQL? esc_sql doesn’t do this

Home/ How do I escape a table name or column name in SQL? esc_sql doesn’t do this

How do I escape a table name or column name in SQL? esc_sql doesn’t do this

Question

If you want to escape string values in an SQL query, you can use WordPress’s esc_sql function:

<?php

$wpdb->get_var( "SELECT * FROM something WHERE foo = '" . esc_sql( $foo ) . "'" );

You can also use the much more convenient prepare function like this:

<?php

$wpdb>-get_var(
    $wpdb->prepare(
        "SELECT * FROM something WHERE foo = %s",
        $foo
    )
);

However, esc_sql is not suitable for escaping table names or column names, (only string values). And there is no way to use prepare for escaping table names or column names.

How can I escape $foo and $bar properly in this example SQL query?

SELECT * FROM $foo WHERE $bar = "example";

Flimm 3 months 0 Answers 9 views 0

Leave an answer

Recent