Wordpress - Use wpdb->prepare for `order by` column name

You can't use prepare for column names, and you can't really use it for the sort order either. prepare will always quote the string. You will need to swap in the values yourself. Rather than try to "sanitize" the data, I'd use a white-list approach.

$orderby = array(
  'date' => 'post_date',
  // etc
);
$sortorder = array(
  'asc' => 'ASC',
  'desc' => 'DESC',
);
$orderbycol = 'ID'; // just a default
if (isset($_GET['orderby'])
  && isset($allowed[$_GET['orderby']])) {
  $orderbycol = $allowed[$_GET['orderby']];
}
$order = 'ASC';
if (isset($_GET['order'])
  && isset($sortorder[$_GET['order']])) {
  $order = $sortorder[$_GET['order']];
} 

$sql = "Select id from $wpdb->posts order by $orderbycol $order";
echo $sql;

Though, I wonder why you are not using WP_Query for this.

Wordpress - Use wpdb->prepare for `order by` column name

Tags:

Sql

Wpdb

Related

Recent Posts