问题
I have a perfectly working wpdb prepare statement before Wordpress 3.5. This is my line:
$post_id = $wpdb->get_var($wpdb->prepare( "SELECT a.post_id
FROM $metatable AS a
JOIN $metatable AS b ON a.post_id = b.post_id
WHERE a.meta_value = '$valuex1' AND b.meta_value = '$valuex2'"));
Now with Wordpress 3.5, this returns a warning since this is not fully sanitized. I have modified this to use placeholders as advised by Wordpress:
$post_id = $wpdb->get_var($wpdb->prepare("SELECT a.post_id FROM $metatable AS a JOIN $metatable AS b ON a.post_id = b.post_id WHERE a.meta_value =%d AND b.meta_value =%s",$valuex1,$valuex2));
However,it does not anymore retrieve the correct information from the database. Is there something wrong with my modified query? How to change it so that it will be working again?
Thanks for your help.
回答1:
My bad, this is so simple! Wordpress uses two placeholders %s and %d.
%s should be used when passing strings to the database
while:
%d should be used for integers.
My problem above is that I've mixed them up, I use %d for strings or %s for integers. So the problem is resolved by using the correct placeholders for your specific data type. Problem solved.
For example if you are querying the database using id with php variable $id, the placeholder should be %d because it's integer otherwise for strings, such as names, etc. use %s.
来源:https://stackoverflow.com/questions/13907607/how-to-convert-this-prepare-statement-to-use-placeholders-in-wordpress-wpdb