Strangeness in wpdb::update() and escaping table names in wpdb::update() and wpdb::insert()
|Reported by:||mdawaffe||Owned by:||mdawaffe|
In wpdb::update(), we do not enclose columns from the $where argument inside backticks. It seems this was intentional (#5178). Perhaps to allow the following?
$wpdb->update( 'table', array( 'foo' => 'bar' ), array( 'ID < 4' => 1 ), null, array( '%d' ) );
Which would execute the following SQL query.
UPDATE table SET `foo` = 'bar' WHERE ID < 4 = 1
Do we really want to support strangeness like that?
As update() and insert() were designed to simplify the execution of simple queries, I don't see why we should try to simplify complicated queries like the above.
I suggest enclosing the columns from $where in backticks.
I also think we should include backticks around $table in both update() and insert().
If people need more complicated queries, they can use
$wpdb->query( $wpdb->prepare( ... ) );