wpdb::prepare( "SELECT * FROM table WHERE column = %s AND field = %d", 'foo', 1337 )
wpdb::prepare( "SELECT DATE_FORMAT(field, '%%c') FROM table WHERE column = %s", 'foo' );
public prepare ( string $query, array | mixed $args ) : null | false | string | ||
$query | string | Query statement with sprintf()-like placeholders |
$args | array | mixed | The array of variables to substitute into the query's placeholders if being called like {@link http://php.net/vsprintf vsprintf()}, or the first variable to substitute into the query's placeholders if being called like {@link http://php.net/sprintf sprintf()}. |
return | null | false | string | Sanitized query string, null if there is no query, false if there is an error and string if there was something to prepare |
public function prepare($query, $args)
{
if (is_null($query)) {
return;
}
// This is not meant to be foolproof -- but it will catch obviously incorrect usage.
if (strpos($query, '%') === false) {
_doing_it_wrong('wpdb::prepare', sprintf(__('The query argument of %s must have a placeholder.'), 'wpdb::prepare()'), '3.9');
}
$args = func_get_args();
array_shift($args);
// If args were passed as an array (as in vsprintf), move them up
if (isset($args[0]) && is_array($args[0])) {
$args = $args[0];
}
$query = str_replace("'%s'", '%s', $query);
// in case someone mistakenly already singlequoted it
$query = str_replace('"%s"', '%s', $query);
// doublequote unquoting
$query = preg_replace('|(?<!%)%f|', '%F', $query);
// Force floats to be locale unaware
$query = preg_replace('|(?<!%)%s|', "'%s'", $query);
// quote the strings, avoiding escaped strings like %%s
array_walk($args, [$this, 'escape_by_ref']);
return @vsprintf($query, $args);
}
public function query($query, $parameters = array()) { if (!empty($parameters)) { $query = str_replace('?', '%s', $query); $query = $this->wpdb->prepare($query, $parameters); } return $this->wpdb->query($query); }