[mpol]

WordPress uses the PHP-mysqli extension. The PHP-mysql extension is unused since WordPress 3.9, quite some years ago. You might mean PHP-pdo is advised. Can you explain why it is better in this regard?

Also $wpdb->prepare() uses parametrised values. Not everywhere in WordPress core is it being used. Most plugins use it for direct queries (not that common), but I don't know if the plugin team refuses plugins when they are not using it.

[9dev]

Read this article for a primer on why PDO is a vastly better choice: https://phpdelusions.net/pdo#why

And the fact that it’s 2023 and we’re somehow ok with the biggest web application there is not using parametrised queries in its core completely stumps me. Time and time again, SQL injection attacks in Wordpress or it’s plugins pop up. PDO with parametrised queries simply eliminates this issue.

[luckylion]

> PDO with parametrised queries simply eliminates this issue.

True, but plugin authors not caring about using them is the primary issue, and that doesn't change just because wpdb uses a different API under the hood.

[9dev]

No, but nobody will encourage them to. Wordpress has fostered an ecosystem of bad practices that is mostly resistant to change.

[tyingq]

>Also $wpdb->prepare() uses parametrised values.

They appear to be a hand-rolled PHP version of imitation client-side parameterized values, not the actual database library ones.

https://github.com/WordPress/WordPress/blob/master/wp-includ...

[berkle4455]

Wow. That is so much code just to avoid calling mysqli_prepare(). And they insist on using a weird printf inspired syntax instead of ? or :field.

[tyingq]

I suppose it's pretty battle-hardened by now, but I'd be afraid to ever touch that code for fear of introducing a SQL injection.