| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by tyingq 1210 days ago

>Also $wpdb->prepare() uses parametrised values.

They appear to be a hand-rolled PHP version of imitation client-side parameterized values, not the actual database library ones.

1 comments

Wow. That is so much code just to avoid calling mysqli_prepare(). And they insist on using a weird printf inspired syntax instead of ? or :field.

I suppose it's pretty battle-hardened by now, but I'd be afraid to ever touch that code for fear of introducing a SQL injection.