I have the following code
$v12 = 'Milk(45% Fett i.Tr.)';
$sql = "INSERT INTO diary_data SET v2= '0.2', v12=$v12";
$final_sql = $wpdb->prepare( $sql, '');
but after echoing $final_sql contains
INSERT INTO diary_data SET v2= '0.2', v12=Milk(450.000000ett i.Tr.)
which is not right sql query.
I have tried adding extra % in $v12 like $v12 = 'Milk(45%% Fett i.Tr.)' which gives me
INSERT INTO diary_data SET v2= '0.2', v12=Milk(45{d4f1e7f215677fb8d2f6ba2935ed4333e2d215f3645e54e0669d65c881e609cd} Fett i.Tr.)
I have also tried using $v12 = $wpdb->_real_escape('Milk(45% Fett i.Tr.)') but now luck.
Does anyone know how to solve this?
I have the following code
$v12 = 'Milk(45% Fett i.Tr.)';
$sql = "INSERT INTO diary_data SET v2= '0.2', v12=$v12";
$final_sql = $wpdb->prepare( $sql, '');
but after echoing $final_sql contains
INSERT INTO diary_data SET v2= '0.2', v12=Milk(450.000000ett i.Tr.)
which is not right sql query.
I have tried adding extra % in $v12 like $v12 = 'Milk(45%% Fett i.Tr.)' which gives me
INSERT INTO diary_data SET v2= '0.2', v12=Milk(45{d4f1e7f215677fb8d2f6ba2935ed4333e2d215f3645e54e0669d65c881e609cd} Fett i.Tr.)
I have also tried using $v12 = $wpdb->_real_escape('Milk(45% Fett i.Tr.)') but now luck.
Does anyone know how to solve this?
Share Improve this question asked Sep 14, 2021 at 13:10 Joy Kumar BeraJoy Kumar Bera 1264 bronze badges1 Answer
Reset to default 0This is an incorrect use of prepare, that function is used to safely insert variables into queries. However the code in your question does this beforehand, bypassing the security function.
E.g.
What you did:
$unsafesql = "INSERT $dangerousvariable";
$still_unsafe_sql = $wpdb->prepare( $sql, '' );
What it should be:
$safe_sql = $wpdb->prepare( "INSERT %s", $dangerousvariable );