wpdb prepare without placeholder

Short answer:
You should use the way described in the documentation, sanitize anything that goes in an SQL query, and always use prepared statements.

Slightly longer answer:
The main use of $wpdb->prepare() is to prevent against SQL injection attacks.
Here, we don’t know where 'foo', 1337 and '%bar' come from. And that’s somewhat the deciding factor.

From a security perspective:

  • If it doesn’t come in any way (even indirect) from user input, it’s ok not to use prepared statements
  • If it comes from user input, even indirectly, the prepared statement is required
  • Most importantly, no one can predict the future: these variables’ value may not, directly or indirectly, come in any way from user input, but an update down the line might change that.

Related Posts:

  1. What is a stored procedure?
  2. Unknown column in ‘field list’ error on MySQL Update query
  3. SQL Inner-join with 3 tables?
  4. Self Join to get employee manager name
  5. Conversion failed when converting date and/or time from character string while inserting datetime
  6. MySQL create table if not exists and insert record only if table was created
  7. error, string or binary data would be truncated when trying to insert
  8. ORA-00907: missing right parenthesis
  9. Rename column SQL Server 2008
  10. Why do we need “Relationships” between tables at all?
  11. Using group by on multiple columns
  12. Case statement in MySQL
  13. How to declare a variable in MySQL?
  14. How to implement one-to-one, one-to-many and many-to-many relationships while designing tables?
  15. ORA-01843 not a valid month- Comparing Dates
  16. How do I escape a single quote in SQL Server?
  17. Teradata: how to convert varchar value (format ‘dd.mm.yyyy’) to date (format ‘yyyy-mm-dd’ )?
  18. How Stuff and ‘For Xml Path’ work in SQL Server?
  19. Can’t connect to local MySQL server through socket ‘/tmp/mysql.sock’ (2)
  20. Oracle SELECT TOP 10 records
  21. must appear in the GROUP BY clause or be used in an aggregate function
  22. How can I return pivot table output in MySQL?
  23. The multi-part identifier could not be bound
  24. MySQL syntax for Join Update
  25. SQLite – UPSERT *not* INSERT or REPLACE
  26. how to drop partition without dropping data in MySQL?
  27. Simple way to calculate median with MySQL
  28. The ALTER TABLE statement conflicted with the FOREIGN KEY constraint
  29. Error 1046 No database Selected, how to resolve?
  30. What is it exactly a BLOB in a DBMS context
  31. How do I do multiple CASE WHEN conditions using SQL Server 2008?
  32. Insert text with single quotes in PostgreSQL
  33. SQL Server IF NOT EXISTS Usage?
  34. How to insert date values into table
  35. Arithmetic overflow error converting numeric to data type numeric
  36. I want to use CASE statement to update some records in sql server 2005
  37. SELECT DISTINCT on one column
  38. how to remove time from datetime
  39. TSQL PIVOT MULTIPLE COLUMNS
  40. MySQL – UPDATE multiple rows with different values in one query
  41. How to create a MySQL hierarchical recursive query?
  42. Microsoft OLE DB Provider for SQL Server error ‘80004005’
  43. Query to convert from datetime to date mysql
  44. How to query MongoDB with “like”
  45. Equivalent of Oracle’s RowID in SQL Server
  46. Subtract one day from datetime
  47. MySQL equivalent of DECODE function in Oracle
  48. Get current year in TSQL
  49. what is the difference between triggers, assertions and checks (in database)
  50. Is it possible to specify condition in Count()?
  51. Replacing NULL with 0 in a SQL server query
  52. How to delete from multiple tables in MySQL?
  53. How to copy a row and insert in same table with a autoincrement field in MySQL?
  54. Backup a single table with its data from a database in sql server 2008
  55. Error converting data type varchar
  56. updating table rows in postgres using subquery
  57. I want to use CASE statement to update some records in sql server 2005
  58. Cannot create an instance of OLE DB provider Microsoft.Jet.OLEDB.4.0 for linked server null
  59. ORDER BY items must appear in the select list if SELECT DISTINCT is specified
  60. ROW_NUMBER() in MySQ
  61. Foreign key references invalid table
  62. Is there a coalesce-like function in Excel?
  63. What are database constraints?
  64. How do I count unique items in field in Access query?
  65. Postgresql column reference “id” is ambiguous
  66. Inner Joining three tables
  67. How do I view the Explain Plan in Oracle Sql developer?
  68. ORA-01779: cannot modify a column which maps to a non key-preserved table
  69. SUM OVER PARTITION BY
  70. MySQL LIKE IN()?
  71. Filter data based on date in sql
  72. Varchar invalid for Sum operator
  73. SQL: How to properly check if a record exists
  74. What is a postgres superuser
  75. ora-06553 pls-306 wrong number or types of arguments in call to ‘ogc_x’
  76. SQL query to extract only the “current” wp_posts?
  77. Sorting search results by taxonomy terms
  78. SQL select of users by metadata
  79. How to properly sanitize strings without $wpdb->prepare?
  80. How to retrieve sticky post in raw sql?
  81. How to remove in the wordpress database all posts revisions except the last three?
  82. Backticks (`) Instead of Single Quotes (‘) in an SQL Statement?
  83. $wpdb get_var issue
  84. posts_where Fails with More than One Custom Field in Query
  85. Inserting rows into a custom table, when plugin is activated
  86. WordPress database error: You have an error in your SQL syntax
  87. Restose content from revisions – sql query
  88. Inner Join user tables to select users with roles
  89. $wpdb->prepare with LIKE returning blank array instead of rows
  90. Posts modified in the last 48 hours
  91. Removing posts by sql
  92. Why line returns are not reapply after doing esc_sql?
  93. post id not displaying
  94. Search results sort order failing: set by date only
  95. Insert multiple checkbox values
  96. How to get EVENT based on startday, using BETWEEN
  97. SQL to transform all email addresses in my DB in lowercase [closed]
  98. How to get the sum of each post with the same date
  99. How to dump a Microsoft SQL Server database to a SQL script?
  100. Deleting the MySQL database