[stephenr]

Parameterised queries done properly are sent to the database server specifically as a query with placeholders and values - the values are never evaluated as sql, there is no chance for a userland bug/attack to perform sql injection using them.

What wordpress does is basically glorified printf, substituting values into a string.

If you can’t see how this is a danger, you’re in no position to comment on the quality of the code.

[AmericanChopper]

Right, so you actually have absolutely nothing to say about the quality of wpdb.

My point stands. The worst problems in Wordpress are the plugin ecosystem and poorly maintained instances.

[stephenr]

Just because you choose to ignore valid criticism, that doesnt mean there is no criticism.

Go read https://blog.ircmaxell.com/2017/10/disclosure-wordpress-wpdb...

A couple of little snippets to highlight the point I'm trying to make:

> The current system is insecure-by-design. That doesn’t mean it’s always hackable, but it means you have to actively work to make it not attackable. It’s better to switch to a design that’s secure-by-default and make the insecure the exceptional case.

> The best path forward would be to switch to PDO/MySQLi and use real prepared statements and not emulate them in PHP land. That’s the best path forward.

But given that the core wordpress team basically ignore this type of suggestion from PHP core contributors, why would I expect you to believe me about it here?