Getting warning of Missing argument 2 for wpdb::prepare()

Your prepare() statement is completely wrong. prepare() statements should be written in the style of sprintf(). You have to pass two arguments (for prepare() it became compulsary as of version 3.5), if you pass only one, you get the missing arguments warning that you currently get. It will be beneficial if you look at how sprintf() works as this will help you alot here.

The purpose of WPDB::prepare() is to sanitize variable values passed to your statement in order to prevent SQL injection. This is extremely important. Hackers love to inject malicious code into form fields and URL’s in order to try to get access to your site, and if you use unsanitized values from $_POST and $_GET and save that to db, you save that malicious code with your values in db, and boom, your site is open to the hacker.

A rule of thumb, if any data is coming from outside, ie any user submitted data (and that includes you aswell), never ever trust it. Always treat such data as infected and malicious. Never ever even trust yourself as well. SANITIZE, VALIDATE AND ESCAPE all data accordingly.

In your prepare statement, you should remove all your variables, and replace them with the corresponding placeholder. Again, please read and understand the sprintf() function page. You cannot mix placeholders, the placeholder passed will determine the sanitation which will be used on the value of the variable. If your variable is suppose to be string, use %s as placeholder, if the value is an integer, use %d. I’m not going to go into this, as it is pure PHP, so be sure to go and read up on using placeholders and sprintf().

Just as an example, you can rewrite your statement as follow: (UNTESTED)

$wpdb->prepare(
    "
        UPDATE %s 
        SET sftemplate_name = %s, sftemplate_type = %s, sftemplate_status = %s 
        WHERE sfID = %d
    ",
    $table_name_sms,
    $message,
    $sfact_order_action,
    $someSwitchOption001,
    $_REQUEST['setid']
)

A FEW NOTES

  • I think that using a variable to hold the table name is unnecessary, hardcode that.

  • I accepted that all vlaues, except the last should be a string, the last value is an integer

  • The above is just an example and is by no means a working example. You should first make sure that you understand how everything works before trying something on a live site

EDIT

If you do not fully understand prepare statements, why not just use WPDB::update() It is much easier, faster from initial testing, and it automatically takes care of sanitation and validation as it uses prepare() before updating the db

error code: 523