Skip to main content
WP HealthKit

Prepared Statement

A prepared statement separates SQL query structure from data values, preventing SQL injection by ensuring user input cannot alter the query's logic.

How it works

WordPress's $wpdb->prepare() method uses printf-style placeholders (%s, %d, %f) that are automatically escaped before being inserted into the query. This ensures that user-supplied values are always treated as data, never as SQL commands.

In WordPress

Any direct database query using $wpdb should use prepare() unless the query contains no variable data. WordPress core functions like get_posts() and WP_Query handle this automatically.

Code example

$wpdb->get_results($wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}orders WHERE status = %s AND total > %d",
    $status, $min_total
));

WP HealthKit checks for Prepared Statement-related vulnerabilities automatically

Run a Free Audit
WordPress Prepared Statements — $wpdb->prepare() Explained | WP HealthKit