I am not understandinhg $wpdb->prepare correctly

Ok, so there is one major problem with your code and it has nothing to do with escaping LIKE statements in SQL. But let me start from that…

There is nothing wrong with your escaping. You should do it exactly like that:

global $wpdb;
// Create a SQL statement with placeholders for the string input.
$sql3 = "SELECT id, post_date, post_title, guid FROM $wpdb->posts where 
post_type="attachment" and post_mime_type like %s;";
// Prepare the SQL statement so the string input gets escaped for security.
$sql3 = $wpdb->prepare( $sql3, $wpdb->esc_like('image').'%' );
echo $sql3;
$result3 = $wpdb->get_results( $sql3, OBJECT );

Although there is no point in escaping this time – you know exactly what string is passed in there and that it is secure.

So why $wpdb generates such strange SQL?

It’s a fix for that vulnerability: https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb-sql-injection-technical.html

This behavior was introduced in WP 4.8.3 and it’s making “double-preparing” sql-injection-safe…

So why is your code working incorrect?

$wpdb->get_results( $sql3, OBJECT );

is returning an array of objects (one for each selected row). It’s an array, so you can’t call ->num_rows on it…

If you want to count the rows, you can use:

count( $result3 );

or

$wpdb->num_rows;

Related Posts:

  1. Trouble inserting string containing quotations marks with wpdb in save_post hook
  2. Escaping a WPDB Object in One Shot
  3. $wpdb->get_row() only returns a single row?
  4. what is the way to see the currently executing query in wordpress?
  5. Fetch array with $wpdb
  6. $wpdb->last_error doesn’t show the query on error
  7. Theoretical Multi-Server WordPress Setup with Shared Users
  8. Delete/replace img tags in post content for auto published posts [closed]
  9. What does wp_update_post() do that the $wpdb class does not?
  10. wpdb-> not adding prefix to custom table
  11. WordPress insert NOW() in TIMESTAMP column returns all zeros
  12. $wpdb prepare issue with mysql DATE_FORMAT
  13. How-To: wpdb Insert Record With Date
  14. How to pass NULL in where array for $wpdb->update
  15. Get random row from custom table
  16. store custom WP table names in a global variable
  17. wpdb prepare: passing varible number of fields as second argument
  18. Wpdb query for comment meta for current post
  19. How to Modify this $wpdb query to accept an array of post statuses
  20. Using WPDB class
  21. show badge with count for pending items in custom post type
  22. WPDB Update using Conditional Arrays
  23. $wpdb->get_results returns empty but value exists
  24. WP Sql query multiple where clause
  25. Problem displaying inserted form
  26. What is _transient_random_seed for?
  27. Get published posts and pages?
  28. create drop down menu in theme customizer from custom db
  29. wpdb get_results() and prepare when to use prepare?
  30. Syntax for $wpdb->prepare when searching in two columns
  31. Foreach loop using $wpdb not results from rows
  32. Is it necessary to escape LIKE term in WP_User_Query?
  33. How to get a value-only flat array from $wpdb->get_results when selecting a single column, without foreach()?
  34. How to Instantiate wpdb Object in New File
  35. How do you build a wpdb query dynamically?
  36. Would this WPDB setup result in potential race conditions?
  37. How to update a row in a table in WordPress
  38. What’s the proper way to add users to my site in order to test things?
  39. Optimizing WordPress Queries – Removing Group By ID
  40. External DB Connection [closed]
  41. Codex: Database Description: meaning of Cardinality
  42. Code only works every other time its run
  43. Can’t pass variable in wordpress wpdb->get_results
  44. WordPress db prepare
  45. How do I count columns on a custom WPDB query?
  46. how to get db values without using an loop with wpdb->get_results()
  47. Custom SQL query ORDER BY term_order
  48. How to run wp_insert_post() & wpdb on the background?
  49. Trying to get variable from WP table and toggle its value
  50. Set MySQL variables in WPDB
  51. get_results query with accent
  52. Save data from a checkbox to a wpdb array
  53. How to prepare an array of values with $wpdb
  54. Is querying wpdb directly and skipping actions provided by WP’s core “wp_update_post” a good idea?
  55. WP-PostRatings: list current user’s rated posts
  56. $wpdb->insert() doesnt work anymore
  57. $wpdb query outputs php code instead of executing it
  58. WPDB Join with custom table
  59. wpdb query not working
  60. Where can I see MySQL hostname and port for wp-config.php
  61. WordPress wpdb->insert returns int(0) => doesn’t insert anything, no errors!
  62. Using “->” in a page to exceute $wpdb query gives error
  63. Why is this $wpdb query looping 5 times?
  64. Exclude specific terms from all queries using posts_where or something similar
  65. $wpdb->get_results not returning an array
  66. query a newly created table using $wpdb
  67. Get all sticky posts from one user through user ID
  68. WPDB Query Question with Category Only
  69. wpdb result arrray inside an array
  70. $wpdb->num_rows doesn’t work
  71. How can I change my meta_query to SQL wpdb query?
  72. How capturate wpdb exceptions?
  73. Limit left join
  74. “This message was added in version X” showing a later version than current one
  75. Get records from Formidable Table using $wpdb->get_col
  76. Prepare WPDB with meta key and meta value
  77. How to get row value from wpdb
  78. I am using wpdb but it not working perfectly.but if I dont use form data its work
  79. wont add form details to database or send me mail
  80. Get last element from wpdb as a string
  81. Missing argument 2 for wpdb::prepare() [duplicate]
  82. wpdb->update update the entire table instead of one row
  83. WPDP related functions look to work but they don’t
  84. Save customizer default values to DB on theme activation
  85. Plugin with connection to database – Single function
  86. Alter the main search query to search posts by coauthor user name
  87. Update all fields of table with ON DUPLICATE KEY UPDATE command
  88. Protect custom form from SQL injection
  89. why nl2br() is adding an extra ?
  90. How to add more custom fields in user meta table simultaneously
  91. wpdb->update error
  92. get unserialized array without using get_option()
  93. SQL Query to select post title & post ID from a particular category
  94. Create Table Failed Column Date DateType
  95. Using $wpdb to update current post
  96. Checking if meta_value exists for any user
  97. Can you create a new wpdb that connects to an SQL (not MYSQL) database? [duplicate]
  98. DBDelta: “table doesn’t exist” for a table that was just created
  99. query using wpdb in wordpress gets me no result
  100. WP Recommended Table Exclusions?