Prepared Statement
A prepared statement separates SQL query structure from data values, preventing SQL injection by ensuring user input cannot alter the query's logic.
How it works
WordPress's $wpdb->prepare() method uses printf-style placeholders (%s, %d, %f) that are automatically escaped before being inserted into the query. This ensures that user-supplied values are always treated as data, never as SQL commands.
In WordPress
Any direct database query using $wpdb should use prepare() unless the query contains no variable data. WordPress core functions like get_posts() and WP_Query handle this automatically.
Code example
$wpdb->get_results($wpdb->prepare(
"SELECT * FROM {$wpdb->prefix}orders WHERE status = %s AND total > %d",
$status, $min_total
));
Related terms
WP HealthKit checks for Prepared Statement-related vulnerabilities automatically
Run a Free Audit