Make WordPress Core

Opened 7 years ago

Closed 7 years ago

#9505 closed defect (bug) (fixed)

Strangeness in wpdb::update() and escaping table names in wpdb::update() and wpdb::insert()

Reported by: mdawaffe Owned by: mdawaffe
Milestone: 2.8 Priority: normal
Severity: normal Version: 2.8
Component: General Keywords: has-patch dev-feedback
Focuses: Cc:


In wpdb::update(), we do not enclose columns from the $where argument inside backticks. It seems this was intentional (#5178). Perhaps to allow the following?

$wpdb->update( 'table', array( 'foo' => 'bar' ), array( 'ID < 4' => 1 ), null, array( '%d' ) );

Which would execute the following SQL query.

UPDATE table SET `foo` = 'bar' WHERE ID < 4 = 1

Do we really want to support strangeness like that?

As update() and insert() were designed to simplify the execution of simple queries, I don't see why we should try to simplify complicated queries like the above.

I suggest enclosing the columns from $where in backticks.

I also think we should include backticks around $table in both update() and insert().

If people need more complicated queries, they can use

$wpdb->query( $wpdb->prepare( ... ) );


Attachments (1)

9505.diff (2.0 KB) - added by mdawaffe 7 years ago.

Download all attachments as: .zip

Change History (2)

7 years ago

#1 @ryan
7 years ago

  • Resolution set to fixed
  • Status changed from new to closed

(In [10907]) Backtick table and column names. Props mdawaffe. fixes #9505

Note: See TracTickets for help on using tickets.