Strangeness in wpdb::update() and escaping table names in wpdb::update() and wpdb::insert()

[mdawaffe]

In wpdb::update(), we do not enclose columns from the $where argument inside backticks. It seems this was intentional (#5178). Perhaps to allow the following?

$wpdb->update( 'table', array( 'foo' => 'bar' ), array( 'ID < 4' => 1 ), null, array( '%d' ) );

Which would execute the following SQL query.

UPDATE table SET `foo` = 'bar' WHERE ID < 4 = 1

Do we really want to support strangeness like that?

As update() and insert() were designed to simplify the execution of simple queries, I don't see why we should try to simplify complicated queries like the above.

I suggest enclosing the columns from $where in backticks.

I also think we should include backticks around $table in both update() and insert().

If people need more complicated queries, they can use

$wpdb->query( $wpdb->prepare( ... ) );

Thoughts?

[ryan]

(In [10907]) Backtick table and column names. Props mdawaffe. fixes #9505