Prepared statements used incorrectly in ACF?

I’m pretty sure that you ARE incorrect.

Let’s taka a closer look at this code you mentioned in your question.

In first line it sets $where variable:

$where="WHERE ID IN (" . substr(str_repeat('%d,', count($my_options['acf_posts'])), 0, -1) . ')';

So what this line really does is:

  • get the number of some options (let’s call it ‘N’)
  • repeats %d placeholder N times
  • append it to string WHERE ID IN ('.

So $where variable contains a string like this:

WHERE ID IN (%d, %d, %d, ...)

… and as you can see, this string CONTAINS placeholders.

Just after this line comes real query, which is build using this $where variable, and the option values ARE inserted using these placeholders.

There isn’t anything bad in using variables, when you build query string, if these variables contains safe strings (i. e. don’t contain values comming from user).

PS. Take a look at this code:

$sql = "SELECT * FROM {$wpdb->posts} WHERE ID=%d";
$results = $wpdb->get_results( $wpdb->prepare( $sql, 10 ) );

Do you think this is also a vulneribility?

Related Posts:

  1. Search and replace not working for ACF Images
  2. wordpress REST-API upload image to ACF
  3. Order and group posts by acf by month and year
  4. How to add a custom field to quick edit
  5. Gutenberg First Block on Page Conditional?
  6. Comparing arrays with meta_query in pre_get_posts
  7. How to order by just the Time Field in Advanced Custom Fields
  8. Using Gutenberg parse_blocks Function With ACF Custom Blocks?
  9. Get specific repeater row (via advanced custom fields) based on Meta Query with Wildcards [closed]
  10. How to update custom taxonomy meta using ACF update_field() function or any other wordpress function
  11. Thumbnails generated from PDF in the “Media” section – how to show them in theme template?
  12. How to count ACF Flexible Content Rows?
  13. Query between dates using date picker filter breaks in WordPress 4.2.1
  14. Get ACF value after update user using save_post
  15. random p tag in advanced custom fields?
  16. How can I track and output when a field is updated? (currently using Advanced Custom Fields)
  17. How to write PHP array to render JSON-LD Markup for Job Postings, with ACF
  18. Add up values from ACF number field
  19. Advanced Custom Fields: Conditional Statement with Select
  20. Add PDF to ACF image field from file url
  21. ACF: How to make get_field() ignore the main wp query?
  22. Bulk-Update Custom Posts
  23. Group ACF repeater fields from differrent posts
  24. How to get custom fields in a post when published
  25. Get all custom fields with wp’s get_posts()
  26. How to populate a parent page with its child subpages and associated templates
  27. Find the first occurrence of a custom field
  28. ACF Add fields values to newly inserted post [closed]
  29. Programatically re-order images in the ACF gallery add-on. Orderby Title, ID, etc
  30. Not displaying posts that are in the past. ACF date > date
  31. acf repeater was free in start [closed]
  32. Use ACF select field to add a class to div inside a flexible content layout [closed]
  33. Website goes down while importing backup (Internal server 500)
  34. Outputing Post Object title as a div class with ACF
  35. ACF: If field contain a specific value, update value in another field programatically
  36. how to load random related posts with specific custom fields?
  37. Add original validation rule to Advance Custom Fields
  38. ACF – Pick first or second value from comma separated values
  39. How to get ACF value inside Gutenberg Block from another page or template? I’m using Timber too
  40. ACF Image field not displaying in WordPress with Visual Composer [closed]
  41. Frontend Form Checkbox Update ACF Field
  42. ACF and Gravity Form file upload frontend [closed]
  43. Trying to select 1 item from an array
  44. Query and display only by first letter of the get_field value
  45. Sorting get_terms, ACF is automatically removing duplicates
  46. Get ACF fields in relationships of returned post
  47. wpdb and acf via wp rest api
  48. How to acquire an ACF image using get_previous_post and get_next_post
  49. Building large multi-section pages with Advanced Custom Fields
  50. Showing a post depending on the Custom Field value
  51. Only Show an Advanced Custom Fields custom field on a specific template
  52. Advanced Custom Fields plugin : displaying a field while omitting the p tags
  53. Widget Code / Advanced Custom Fields / Elementor
  54. getting image from ACF
  55. How can I apply an ACF field to a single custom post if it refers to the taxomy of that post type in the rules?
  56. Getting “Years Only ” from ACF Date Picker field to Hidden filed in the fields group
  57. How to show related post having same relationship filed under single CPT?
  58. Trying to update repeater field (ACF) dynamically with data from Contact Forms 7
  59. Update field for repeater not working
  60. How can i add service category here? [duplicate]
  61. Get title color from category custom field
  62. WP Cron Working, but Function Not Working
  63. How to get a product’s Custom Fields in a different template file?
  64. How to do a WP_Query when a post has a relationship to anoter post via an ACF Post Object field, where the related post is in a certain category?
  65. Custom ACF block only outputs commented JSON to the DOM
  66. pre_get_posts hook not targeting search results page query
  67. ACF – get custom taxonomy term image field
  68. Populating ACF Image Fields from JSON file
  69. ACF group field disappeared after deployment using deployer script
  70. ACF Dynamic select not showing data
  71. Field has disappeared on post page
  72. Modification of RSS feed is not consistent
  73. Display posts every specific day
  74. How to use WP Backery on Wysiwyg ACF
  75. How to use germ_terms() with meta_query for ACF Taxonomy field?
  76. Looking for a javascript callback action to re-initiate a custom slideshow in gutenberg
  77. Hide Menu Items from guess user with ACF
  78. Advanced Custom Fields Gallery and Flex Slider [closed]
  79. Help using an array in ‘exclude’ key of another array
  80. Display custom image field in user profile
  81. Build table using Advanced Custom Fields
  82. Front page showing ACF only once, is that solvable to show the ACF per post? [closed]
  83. How can I get $wpdb to show MySQL warnings?
  84. Add column and acf field content for cpt
  85. Can’t get ACF repeater data in category template
  86. ACF scheduled repeater fields
  87. Get the category fields even if there is no post
  88. Advanced Custom Fields Show After Password [closed]
  89. Add routes between multiple ACF google maps markers [closed]
  90. Displays a string of linked images
  91. use advance custom field inside query post command [closed]
  92. Multiple loop issue – pull one featured and then continue the loop
  93. Check if meta_key exists in wp_list_pages
  94. Hebrew WP 3.5: plugin activated, does not appear in sidebar [duplicate]
  95. How to share specific data contained in repeated fields across multiple pages
  96. ACF + WPML: How to translate date fields?
  97. Using ACF custom field for custom post type to order categories
  98. PHP calls to custom fields not being made. Query seems to be blocking them
  99. Advanced Custom Fields – Issue with Slick Slider in ACF v6 Block
  100. How can I update an ACF field in a repeater on post save?
tech