保护如何使用word ->prepare()函数 - Protecting How to used wodb->prepare() function

Protecting How to used wodb->prepare() function

我用$wpdb->prepare设置了下面的sql。目前，这个查询是在一个函数中运行的，所有的变量都是从wordpress中的my page.php文件传递给函数的。下面的查询可以工作。然而，我的问题是，我是否需要在$field1, $field2,等变量上使用%s…如果是这样，有人可以帮助我如何设置它，它没有工作，当我尝试。如果不是，有人能告诉我为什么吗?谢谢你！

$query = $wpdb->prepare("SELECT DISTINCT wp_eva_geography.$field1, wp_eva_geography.$field2 
FROM wp_eva_geography
WHERE wp_eva_geography.$field3=%s AND wp_eva_geography.$field4=%s",$type,$geo_no_dash);
$results = $wpdb->get_results( $query );

Use the reference document to find out how it works.

In your specific case it might be worth just echo-ing out the MySQL query string so you can see what it's actually trying to request. Then you can spot if something has gone wrong, like a bad column name or value entry.

http://codex.wordpress.org/Class_Reference/wpdb

$wpdb->query( 
    $wpdb->prepare( 
        "DELETE FROM $wpdb->postmeta
         WHERE post_id = %d
          AND meta_key = %s",
         13, 'gargle' 
    )
);