WPDB prepare – like % – placeholders?

The question:

Are these {xxx...} placeholders for % in a LIKE statement normal? If so, when do they get converted back to %‘s?

wp> global $wpdb;
wp> $q = "%s";
=> string(2) "%s"
wp> $pq = $wpdb->prepare($q, '%hi%');
=> string(136) "'{6e039dc0b074a5ff6828a070d0c24708d132341f32dff55a053f1410beabaacd}hi{6e039dc0b074a5ff6828a070d0c24708d132341f32dff55a053f1410beabaacd}'"

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Yes, they’re normal. They were added in 4.8.3 to fix an SQL injection vulnerability.

You can read an article describing the technical reasons for this happening here and the ticket for the change here.

The placeholder characters are replaced by the random characters on the last line of $wpdb->prepare() with the $wpdb->add_placeholder_escape() function, which calls $wpdb->placeholder_escape() internally.

These placeholders are removed in $wpdb->query() by the $wpdb->remove_placeholder_escape() function which is added as a filter to the query hook.

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment