As far as I can see, the Data Validation documentation on WordPress Codex does not mention whether the delete() method SQL-escapes input or if I need to do this myself. As I am developing a very important WordPress plugin, I wanted to be absolutely sure WordPress SQL-escapes 'WHERE [...]' input for me. For others looking for the same answer, yes it does - as far as WordPress version 4.2.1 is concerned (the most recent version at the time of writing). You can find out for yourself by searching in the wp-includes/wp-db.php file. The entire delete() method as seen in 4.2.1:
As you can see at the bottom, the prepare() method is used which SQL-escapes input for inclusion in the query. See: https://codex.wordpress.org/Class_Re...ection_Attacks
Hope this helps.
PHP Code:
public function delete( $table, $where, $where_format = null ) {
if ( ! is_array( $where ) ) {
return false;
}
$where = $this->process_fields( $table, $where, $where_format );
if ( false === $where ) {
return false;
}
$conditions = $values = array();
foreach ( $where as $field => $value ) {
$conditions[] = "`$field` = " . $value['format'];
$values[] = $value['value'];
}
$conditions = implode( ' AND ', $conditions );
$sql = "DELETE FROM `$table` WHERE $conditions";
$this->check_current_query = false;
return $this->query( $this->prepare( $sql, $values ) );
}
Hope this helps.