Is $wpdb->prepare escaping to much? How to use it properly?

What you did wrong here was to prepare those items in the first place.

You only run “data” variables through prepare(). You don’t run table names, or sort directions, or limits through it. These are part of the SQL command itself, they are not data that refers to information which is stored in a column in the database.

Your SELECT query has no data inputs… therefore it does not have any inputs that can be prepare’d.

For the specific case of a SELECT, data is the stuff in the WHERE clause. column = %s and so on. That is a variable piece of data that can be potentially unsafe because it possibly comes from user input. So that data must be run through prepare to make it safe. But if you have a hardcoded “DESC” for the ordering, then there’s no point in running it through prepare. It’s “DESC”. It’s safe as is. Only data that you do not know what it is can be unsafe.

Edit: That said, if data does come from user input, like if the user can select the number of items to display, then that data must be sanitized. So limits can be run through prepare as they are integers and might come from a user selecting “5” or “10”.

However, you wouldn’t allow a user to directly input the table name, or sort order. They would pick a direction to display things, but you’d convert that into ASC or DESC. They would not pick “books” directly, but might select from a list which you interpret as “books”. That sort of thing.

Related Posts:

  1. Insert NULL value using prepare()
  2. Get error messages when $wpdb->insert() returns false?
  3. Detecting errors generated by $wpdb->get_results()
  4. Does dbDelta delete columns as well?
  5. wpdb update add current timestamp not working
  6. How to fetch Data in WordPress using MySQLi or $wpdb
  7. WordPress Unit Testing – Cannot Create Tables
  8. How to define composite keys with dbDelta()
  9. Is sanitize_text_field() is enough to save to DB?
  10. Does wpdb add considerable overhead on queries with large result sets?
  11. Why does $wpdb return strings for mysql integer values?
  12. $wpdb->prepare() warning in WordPress 3.5
  13. Inserting data into custom tables
  14. Hook into $wpdb
  15. Display data from a non wordpress database on a page template
  16. What is the most secure way to store post meta data in WP?
  17. How might I retrieve a featured post image from an external WP site and display it as a link back?
  18. Inserting Post Meta From SQL
  19. Why does dbDelta() not catch MysqlErrors?
  20. Connecting to external oracle database
  21. Can’t save ajax value to database
  22. What causes the “max_user_connections” warning on WordPress frontend?
  23. $wpdb variable throw this error Call to a member function get_results() on a non-object in
  24. Updating all rows of table with $wpdb
  25. Using two different DB users on one WP install
  26. Safe way to find last inserted id in a table?
  27. Database slowdown after update to 3.4.1
  28. Remove database entries where post_date > expiration date
  29. Get data from database using $WPDB
  30. Getting all the users who have author privilege
  31. Multiple postmeta with same name for one post in wp_postmeta table
  32. WP Database Table to CSV file
  33. In what part of the WordPress core does the users table and usermeta table get joined?
  34. Modify Database in Multi-Site wp_usermeta table
  35. Advanced SELECT query with condtional statements
  36. $wpdb doesn’t like to store arrays
  37. WordPress choose wrong database
  38. Redirecting to old domain after migration website
  39. Create table from array with prepare
  40. Does WordPress $wpdb functions wait when table is locked?
  41. How Can I Put Meta_Compare in the Database-Query?
  42. WordPress running SQL query to update database from form
  43. What’s the proper way to sanitize checkbox value sent to the database
  44. I’m not able to get access to $wpdb [duplicate]
  45. WPDB SQL query with prepare() returning variable, not db value
  46. $wpdb error (Call to a member function insert() on a non-object)
  47. Is it important to have integers inserted using %d rather than %s?
  48. Problem in using wpdb
  49. How to fetch records from database WordPress
  50. Best practice to limit results in get_row()?
  51. Best practice to import user base (subscribers) from one website to another?
  52. AJAX wp-mysql running too slow
  53. Clear Terms from Taxonomy for Specific Post IDs?
  54. Trouble running $wpdb->query() with last_insert_id
  55. Connecting to a different database
  56. Using $wpdb | checking entered email against existing emails in db
  57. Query Column of Specific ID from Database Table
  58. How to delete a particular row in a database table
  59. How to create more than one new wpdb object?
  60. Optimizing function that automatically creates internal links based on post title string
  61. Update multiple rows in one query
  62. How to connect and insert data in database of wordpress?
  63. WordPress security [closed]
  64. Get results from wordpress data custom table
  65. Should I use an additional column in the DB?
  66. access JSON results from wordpress database with wpdb
  67. Getting value from database table depending on field value
  68. add_post_meta — not working
  69. Select From wpdb – Author/User Directory page
  70. Secure way to use name_save_pre?
  71. wpdb->insert not inserting first variable
  72. How do I have a user upload a blog post and then retrieve that to display in a card on the site?
  73. $wpdb->insert not inserting all rows
  74. wpdb Insert unknown post data dynamic foreach loop
  75. How do I get database rows from a custom table using wpdb?
  76. SELECT rows between two datetimes when the range is dynamic [closed]
  77. Help with $wpdb on custom code
  78. “BS_” rows in postmeta table
  79. $wpdb->insert duplicating rows
  80. How to rerieve comments and their replies from DB
  81. Can I use a wpdb object to connect to a non-WordPress Oracle database [duplicate]
  82. Help posting values to DB on submit using $wpdb->query
  83. WordPress Database Query works in phpMyAdmin but not in the code
  84. 2 $wpdb queries causing error Table ‘wp_postmeta’ is specified twice, both as a target for ‘UPDATE’
  85. Correct and secure way to access a custom SQL database in a custom PHP template file
  86. Using $wpdb to insert data into a table
  87. spambot registering without providing email or password, bypassing registration process
  88. How To connect to the same WordPress database with different database user
  89. Accessing content from third party as native posts in WordPress
  90. Call to a member function insert()
  91. I have include wp-config, should I add global $wpdb also?
  92. Processing a lot of $wpdb isn’t insert all the data
  93. Can’t Install WordPress (local) Failed to open file wp-includes/wp-db.php
  94. Pulling values from a sepcific row in table
  95. Creating Tables in WordPress Database
  96. Inserting into data into external DB using WPDB
  97. Insert Extra fields added in the front end registration form to DB
  98. How to use remote db tables in current config? [duplicate]
  99. $wpdb->insert not working for last select option
  100. $wpdb->prepare returns empty array