Direct SQL query in a PHP snippet, is it safe or not?

Fabricator · May 9, 2024, 2:15pm

Hi! I want to know, a direct SQL query in a php snippet, is it safe or not?

            $package_query = $wpdb->prepare(
                "
                SELECT comment_karma
                FROM {$wpdb->prefix}comments
                WHERE user_id = %d
                AND comment_type = %s
                AND comment_content = %s
                ",
                $user_id,
                'hp_listing_package',
                'Paid package here'
            );

            $package_karma = $wpdb->get_var( $package_query );

andrii · May 10, 2024, 12:45pm

Hi,

If you use prepare, then most likely yes, but it is better to avoid raw queries and use WordPress or our API wpdb::prepare() – Method | Developer.WordPress.org

Fabricator · May 10, 2024, 2:52pm

Thank you! I’m looking for another approach.

system · June 9, 2024, 2:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.