No announcement yet.

WordPress wpdb object - delete() method - is data sanitised/escaped?

  • Filter
  • Time
  • Show
Clear All
new posts

  • WordPress wpdb object - delete() method - is data sanitised/escaped?

    As far as I can see, the Data Validation documentation on WordPress Codex does not mention whether the delete() method SQL-escapes input or if I need to do this myself. As I am developing a very important WordPress plugin, I wanted to be absolutely sure WordPress SQL-escapes 'WHERE [...]' input for me. For others looking for the same answer, yes it does - as far as WordPress version 4.2.1 is concerned (the most recent version at the time of writing). You can find out for yourself by searching in the wp-includes/wp-db.php file. The entire delete() method as seen in 4.2.1:

    PHP Code:
    public function delete$table$where$where_format null ) {
        if ( ! 
    is_array$where ) ) {

    $where $this->process_fields$table$where$where_format );
        if ( 
    false === $where ) {

    $conditions $values = array();
        foreach ( 
    $where as $field => $value ) {
    $conditions[] = "`$field` = " $value['format'];
    $values[] = $value['value'];

    $conditions implode' AND '$conditions );

    $sql "DELETE FROM `$table` WHERE $conditions";

    $this->check_current_query false;
    $this->query$this->prepare$sql$values ) );

    As you can see at the bottom, the prepare() method is used which SQL-escapes input for inclusion in the query. See:

    Hope this helps.
    Find us on Twitter and Facebook

    Need to contact us?
    Customer Support: Client Area - 0800 862 0380 (option 2)
    Customer Relations: [email protected] - 0800 862 0380 (option 3)
    Sales: [email protected] - 0800 862 0380 (option 1)

    The opinions or views expressed above are not necessarily the opinions or views of eUKhost Ltd.