Title: wpdb::prepare Published: April 25, 2014 Last modified: February 24, 2026 --- # wpdb::prepare( string $query, mixed $args ): string|void ## In this article * [Description](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#description) * [Parameters](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#parameters) * [Return](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#return) * [Source](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#source) * [Related](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#related) * [Changelog](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#changelog) * [User Contributed Notes](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#user-contributed-notes) [ Back to top](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#wp--skip-link--target) Prepares a SQL query for safe execution. ## 󠀁[Description](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#description)󠁿 Uses `sprintf()`-like syntax. The following placeholders can be used in the query string: * `%d` (integer) * `%f` (float) * `%s` (string) * `%i` (identifier, e.g. table/field names) All placeholders MUST be left unquoted in the query string. A corresponding argument MUST be passed for each placeholder. Note: There is one exception to the above: for compatibility with old behavior, numbered or formatted string placeholders (eg, `%1$s`, `%5s`) will not have quotes added by this function, so should be passed with appropriate quotes around them. Literal percentage signs (`%`) in the query string must be written as `%%`. Percentage wildcards (for example, to use in LIKE syntax) must be passed via a substitution argument containing the complete LIKE string, these cannot be inserted directly in the query string. Also see [wpdb::esc_like()](https://developer.wordpress.org/reference/classes/wpdb/esc_like/). Arguments may be passed as individual arguments to the method, or as a single array containing all arguments. A combination of the two is not supported. Examples: ```php $wpdb->prepare( "SELECT * FROM `table` WHERE `column` = %s AND `field` = %d OR `other_field` LIKE %s", array( 'foo', 1337, '%bar' ) ); $wpdb->prepare( "SELECT DATE_FORMAT(`field`, '%%c') FROM `table` WHERE `column` = %s", 'foo' ); $wpdb->prepare( "SELECT * FROM %i WHERE %i = %s", $table, $field, $value ); ``` ## 󠀁[Parameters](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#parameters)󠁿 `$query`stringrequired Query statement with `sprintf()`-like placeholders. `$args`mixedrequired Further variables to substitute into the query’s placeholders if being called with individual arguments. ## 󠀁[Return](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#return)󠁿 string|void Sanitized query string, if there is a query to prepare. ## 󠀁[Source](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#source)󠁿 ```php public function prepare( $query, ...$args ) { if ( is_null( $query ) ) { return; } /* * This is not meant to be foolproof -- but it will catch obviously incorrect usage. * * Note: str_contains() is not used here, as this file can be included * directly outside of WordPress core, e.g. by HyperDB, in which case * the polyfills from wp-includes/compat.php are not loaded. */ if ( false === strpos( $query, '%' ) ) { wp_load_translations_early(); _doing_it_wrong( 'wpdb::prepare', sprintf( /* translators: %s: wpdb::prepare() */ __( 'The query argument of %s must have a placeholder.' ), 'wpdb::prepare()' ), '3.9.0' ); } /* * Specify the formatting allowed in a placeholder. The following are allowed: * * - Sign specifier, e.g. $+d * - Numbered placeholders, e.g. %1$s * - Padding specifier, including custom padding characters, e.g. %05s, %'#5s * - Alignment specifier, e.g. %05-s * - Precision specifier, e.g. %.2f */ $allowed_format = '(?:[1-9][0-9]*[$])?[-+0-9]*(?: |0|\'.)?[-+0-9]*(?:\.[0-9]+)?'; /* * If a %s placeholder already has quotes around it, removing the existing quotes * and re-inserting them ensures the quotes are consistent. * * For backward compatibility, this is only applied to %s, and not to placeholders like %1$s, * which are frequently used in the middle of longer strings, or as table name placeholders. */ $query = str_replace( "'%s'", '%s', $query ); // Strip any existing single quotes. $query = str_replace( '"%s"', '%s', $query ); // Strip any existing double quotes. // Escape any unescaped percents (i.e. anything unrecognised). $query = preg_replace( "/%(?:%|$|(?!($allowed_format)?[sdfFi]))/", '%%\\1', $query ); // Extract placeholders from the query. $split_query = preg_split( "/(^|[^%]|(?:%%)+)(%(?:$allowed_format)?[sdfFi])/", $query, -1, PREG_SPLIT_DELIM_CAPTURE ); $split_query_count = count( $split_query ); /* * Split always returns with 1 value before the first placeholder (even with $query = "%s"), * then 3 additional values per placeholder. */ $placeholder_count = ( ( $split_query_count - 1 ) / 3 ); // If args were passed as an array, as in vsprintf(), move them up. $passed_as_array = ( isset( $args[0] ) && is_array( $args[0] ) && 1 === count( $args ) ); if ( $passed_as_array ) { $args = $args[0]; } $new_query = ''; $key = 2; // Keys 0 and 1 in $split_query contain values before the first placeholder. $arg_id = 0; $arg_identifiers = array(); $arg_strings = array(); while ( $key < $split_query_count ) { $placeholder = $split_query[ $key ]; $format = substr( $placeholder, 1, -1 ); $type = substr( $placeholder, -1 ); if ( 'f' === $type && true === $this->allow_unsafe_unquoted_parameters /* * Note: str_ends_with() is not used here, as this file can be included * directly outside of WordPress core, e.g. by HyperDB, in which case * the polyfills from wp-includes/compat.php are not loaded. */ && '%' === substr( $split_query[ $key - 1 ], -1, 1 ) ) { /* * Before WP 6.2 the "force floats to be locale-unaware" RegEx didn't * convert "%%%f" to "%%%F" (note the uppercase F). * This was because it didn't check to see if the leading "%" was escaped. * And because the "Escape any unescaped percents" RegEx used "[sdF]" in its * negative lookahead assertion, when there was an odd number of "%", it added * an extra "%", to give the fully escaped "%%%%f" (not a placeholder). */ $s = $split_query[ $key - 2 ] . $split_query[ $key - 1 ]; $k = 1; $l = strlen( $s ); while ( $k <= $l && '%' === $s[ $l - $k ] ) { ++$k; } $placeholder = '%' . ( $k % 2 ? '%' : '' ) . $format . $type; --$placeholder_count; } else { // Force floats to be locale-unaware. if ( 'f' === $type ) { $type = 'F'; $placeholder = '%' . $format . $type; } if ( 'i' === $type ) { $placeholder = '`%' . $format . 's`'; // Using a simple strpos() due to previous checking (e.g. $allowed_format). $argnum_pos = strpos( $format, '$' ); if ( false !== $argnum_pos ) { // sprintf() argnum starts at 1, $arg_id from 0. $arg_identifiers[] = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); } else { $arg_identifiers[] = $arg_id; } } elseif ( 'd' !== $type && 'F' !== $type ) { /* * i.e. ( 's' === $type ), where 'd' and 'F' keeps $placeholder unchanged, * and we ensure string escaping is used as a safe default (e.g. even if 'x'). */ $argnum_pos = strpos( $format, '$' ); if ( false !== $argnum_pos ) { $arg_strings[] = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); } else { $arg_strings[] = $arg_id; } /* * Unquoted strings for backward compatibility (dangerous). * First, "numbered or formatted string placeholders (eg, %1$s, %5s)". * Second, if "%s" has a "%" before it, even if it's unrelated (e.g. "LIKE '%%%s%%'"). */ if ( true !== $this->allow_unsafe_unquoted_parameters /* * Note: str_ends_with() is not used here, as this file can be included * directly outside of WordPress core, e.g. by HyperDB, in which case * the polyfills from wp-includes/compat.php are not loaded. */ || ( '' === $format && '%' !== substr( $split_query[ $key - 1 ], -1, 1 ) ) ) { $placeholder = "'%" . $format . "s'"; } } } // Glue (-2), any leading characters (-1), then the new $placeholder. $new_query .= $split_query[ $key - 2 ] . $split_query[ $key - 1 ] . $placeholder; $key += 3; ++$arg_id; } // Replace $query; and add remaining $query characters, or index 0 if there were no placeholders. $query = $new_query . $split_query[ $key - 2 ]; $dual_use = array_intersect( $arg_identifiers, $arg_strings ); if ( count( $dual_use ) > 0 ) { wp_load_translations_early(); $used_placeholders = array(); $key = 2; $arg_id = 0; // Parse again (only used when there is an error). while ( $key < $split_query_count ) { $placeholder = $split_query[ $key ]; $format = substr( $placeholder, 1, -1 ); $argnum_pos = strpos( $format, '$' ); if ( false !== $argnum_pos ) { $arg_pos = ( ( (int) substr( $format, 0, $argnum_pos ) ) - 1 ); } else { $arg_pos = $arg_id; } $used_placeholders[ $arg_pos ][] = $placeholder; $key += 3; ++$arg_id; } $conflicts = array(); foreach ( $dual_use as $arg_pos ) { $conflicts[] = implode( ' and ', $used_placeholders[ $arg_pos ] ); } _doing_it_wrong( 'wpdb::prepare', sprintf( /* translators: %s: A list of placeholders found to be a problem. */ __( 'Arguments cannot be prepared as both an Identifier and Value. Found the following conflicts: %s' ), implode( ', ', $conflicts ) ), '6.2.0' ); return; } $args_count = count( $args ); if ( $args_count !== $placeholder_count ) { if ( 1 === $placeholder_count && $passed_as_array ) { /* * If the passed query only expected one argument, * but the wrong number of arguments was sent as an array, bail. */ wp_load_translations_early(); _doing_it_wrong( 'wpdb::prepare', __( 'The query only expected one placeholder, but an array of multiple placeholders was sent.' ), '4.9.0' ); return; } else { /* * If we don't have the right number of placeholders, * but they were passed as individual arguments, * or we were expecting multiple arguments in an array, throw a warning. */ wp_load_translations_early(); _doing_it_wrong( 'wpdb::prepare', sprintf( /* translators: 1: Number of placeholders, 2: Number of arguments passed. */ __( 'The query does not contain the correct number of placeholders (%1$d) for the number of arguments passed (%2$d).' ), $placeholder_count, $args_count ), '4.8.3' ); /* * If we don't have enough arguments to match the placeholders, * return an empty string to avoid a fatal error on PHP 8. */ if ( $args_count < $placeholder_count ) { $max_numbered_placeholder = 0; for ( $i = 2, $l = $split_query_count; $i < $l; $i += 3 ) { // Assume a leading number is for a numbered placeholder, e.g. '%3$s'. $argnum = (int) substr( $split_query[ $i ], 1 ); if ( $max_numbered_placeholder < $argnum ) { $max_numbered_placeholder = $argnum; } } if ( ! $max_numbered_placeholder || $args_count < $max_numbered_placeholder ) { return ''; } } } } $args_escaped = array(); foreach ( $args as $i => $value ) { if ( in_array( $i, $arg_identifiers, true ) ) { $args_escaped[] = $this->_escape_identifier_value( $value ); } elseif ( is_int( $value ) || is_float( $value ) ) { $args_escaped[] = $value; } else { if ( ! is_scalar( $value ) && ! is_null( $value ) ) { wp_load_translations_early(); _doing_it_wrong( 'wpdb::prepare', sprintf( /* translators: %s: Value type. */ __( 'Unsupported value type (%s).' ), gettype( $value ) ), '4.8.2' ); // Preserving old behavior, where values are escaped as strings. $value = ''; } $args_escaped[] = $this->_real_escape( $value ); } } $query = vsprintf( $query, $args_escaped ); return $this->add_placeholder_escape( $query ); } ``` [View all references](https://developer.wordpress.org/reference/files/wp-includes/class-wpdb.php/) [View on Trac](https://core.trac.wordpress.org/browser/tags/6.9.4/src/wp-includes/class-wpdb.php#L1464) [View on GitHub](https://github.com/WordPress/wordpress-develop/blob/6.9.4/src/wp-includes/class-wpdb.php#L1464-L1766) ## 󠀁[Related](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#related)󠁿 | Uses | Description | | [wpdb::_escape_identifier_value()](https://developer.wordpress.org/reference/classes/wpdb/_escape_identifier_value/)`wp-includes/class-wpdb.php` | Escapes an identifier value without adding the surrounding quotes. | | [wpdb::add_placeholder_escape()](https://developer.wordpress.org/reference/classes/wpdb/add_placeholder_escape/)`wp-includes/class-wpdb.php` | Adds a placeholder escape string, to escape anything that resembles a printf() placeholder. | | [wp_load_translations_early()](https://developer.wordpress.org/reference/functions/wp_load_translations_early/)`wp-includes/load.php` | Attempts an early load of translations. | | [wpdb::_real_escape()](https://developer.wordpress.org/reference/classes/wpdb/_real_escape/)`wp-includes/class-wpdb.php` | Real escape using mysqli_real_escape_string(). | | [__()](https://developer.wordpress.org/reference/functions/__/)`wp-includes/l10n.php` | Retrieves the translation of $text. | | [_doing_it_wrong()](https://developer.wordpress.org/reference/functions/_doing_it_wrong/)`wp-includes/functions.php` | Marks something as being incorrectly called. | [Show 2 more](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#) [Show less](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#) | Used by | Description | | [wp_check_comment_data()](https://developer.wordpress.org/reference/functions/wp_check_comment_data/)`wp-includes/comment.php` | Checks whether comment data passes internal checks or has disallowed content. | | [wp_prime_network_option_caches()](https://developer.wordpress.org/reference/functions/wp_prime_network_option_caches/)`wp-includes/option.php` | Primes specific network options into the cache with a single database query. | | [wp_prime_option_caches()](https://developer.wordpress.org/reference/functions/wp_prime_option_caches/)`wp-includes/option.php` | Primes specific options into the cache with a single database query. | | [wp_set_option_autoload_values()](https://developer.wordpress.org/reference/functions/wp_set_option_autoload_values/)`wp-includes/option.php` | Sets the autoload values for multiple options in the database. | | [WP_Site_Health::should_suggest_persistent_object_cache()](https://developer.wordpress.org/reference/classes/wp_site_health/should_suggest_persistent_object_cache/)`wp-admin/includes/class-wp-site-health.php` | Determines whether to suggest using a persistent object cache. | | [WP_Debug_Data::get_mysql_var()](https://developer.wordpress.org/reference/classes/wp_debug_data/get_mysql_var/)`wp-admin/includes/class-wp-debug-data.php` | Returns the value of a MySQL system variable. | | [_wp_batch_update_comment_type()](https://developer.wordpress.org/reference/functions/_wp_batch_update_comment_type/)`wp-includes/comment.php` | Updates the comment type for a batch of comments. | | [wp_delete_site()](https://developer.wordpress.org/reference/functions/wp_delete_site/)`wp-includes/ms-site.php` | Deletes a site from the database. | | [populate_network_meta()](https://developer.wordpress.org/reference/functions/populate_network_meta/)`wp-admin/includes/schema.php` | Creates WordPress network meta and sets the default values. | | [populate_site_meta()](https://developer.wordpress.org/reference/functions/populate_site_meta/)`wp-admin/includes/schema.php` | Creates WordPress site meta and sets the default values. | | [_find_post_by_old_slug()](https://developer.wordpress.org/reference/functions/_find_post_by_old_slug/)`wp-includes/query.php` | Find the post ID for redirecting an old slug. | | [_find_post_by_old_date()](https://developer.wordpress.org/reference/functions/_find_post_by_old_date/)`wp-includes/query.php` | Find the post ID for redirecting an old date. | | [wp_delete_attachment_files()](https://developer.wordpress.org/reference/functions/wp_delete_attachment_files/)`wp-includes/post.php` | Deletes all files that belong to the given attachment. | | [WP_Privacy_Requests_Table::get_request_counts()](https://developer.wordpress.org/reference/classes/wp_privacy_requests_table/get_request_counts/)`wp-admin/includes/class-wp-privacy-requests-table.php` | Counts the number of requests for each status. | | [has_term_meta()](https://developer.wordpress.org/reference/functions/has_term_meta/)`wp-includes/taxonomy.php` | Gets all meta data, including meta IDs, for the given term ID. | | [delete_expired_transients()](https://developer.wordpress.org/reference/functions/delete_expired_transients/)`wp-includes/option.php` | Deletes all expired transients. | | [wp_check_comment_flood()](https://developer.wordpress.org/reference/functions/wp_check_comment_flood/)`wp-includes/comment.php` | Checks whether comment flooding is occurring. | | [WP_Term_Query::get_search_sql()](https://developer.wordpress.org/reference/classes/wp_term_query/get_search_sql/)`wp-includes/class-wp-term-query.php` | Used internally to generate a SQL string related to the ‘search’ parameter. | | [WP_Term_Query::get_terms()](https://developer.wordpress.org/reference/classes/wp_term_query/get_terms/)`wp-includes/class-wp-term-query.php` | Retrieves the query results. | | [WP_Network_Query::get_search_sql()](https://developer.wordpress.org/reference/classes/wp_network_query/get_search_sql/)`wp-includes/class-wp-network-query.php` | Used internally to generate an SQL string for searching across multiple columns. | | [WP_Network_Query::get_network_ids()](https://developer.wordpress.org/reference/classes/wp_network_query/get_network_ids/)`wp-includes/class-wp-network-query.php` | Used internally to get a list of network IDs matching the query vars. | | [WP_Site_Query::get_search_sql()](https://developer.wordpress.org/reference/classes/wp_site_query/get_search_sql/)`wp-includes/class-wp-site-query.php` | Used internally to generate an SQL string for searching across multiple columns. | | [WP_Site_Query::get_site_ids()](https://developer.wordpress.org/reference/classes/wp_site_query/get_site_ids/)`wp-includes/class-wp-site-query.php` | Used internally to get a list of site IDs matching the query vars. | | [wxr_term_meta()](https://developer.wordpress.org/reference/functions/wxr_term_meta/)`wp-admin/includes/export.php` | Outputs term meta XML tags for a given term object. | | [WP_Site::get_instance()](https://developer.wordpress.org/reference/classes/wp_site/get_instance/)`wp-includes/class-wp-site.php` | Retrieves a site from the database by its ID. | | [WP_Upgrader::create_lock()](https://developer.wordpress.org/reference/classes/wp_upgrader/create_lock/)`wp-admin/includes/class-wp-upgrader.php` | Creates a lock using WordPress options. | | [WP_Network::get_instance()](https://developer.wordpress.org/reference/classes/wp_network/get_instance/)`wp-includes/class-wp-network.php` | Retrieves a network from the database by its ID. | | [wp_term_is_shared()](https://developer.wordpress.org/reference/functions/wp_term_is_shared/)`wp-includes/taxonomy.php` | Determines whether a term is shared between multiple taxonomies. | | [WP_Comment::get_instance()](https://developer.wordpress.org/reference/classes/wp_comment/get_instance/)`wp-includes/class-wp-comment.php` | Retrieves a [WP_Comment](https://developer.wordpress.org/reference/classes/wp_comment/) instance. | | [wp_get_users_with_no_role()](https://developer.wordpress.org/reference/functions/wp_get_users_with_no_role/)`wp-includes/user.php` | Gets the user IDs of all users with no role on this site. | | [WP_Comment_Query::get_comment_ids()](https://developer.wordpress.org/reference/classes/wp_comment_query/get_comment_ids/)`wp-includes/class-wp-comment-query.php` | Used internally to get a list of comment IDs matching the query vars. | | [WP_Term::get_instance()](https://developer.wordpress.org/reference/classes/wp_term/get_instance/)`wp-includes/class-wp-term.php` | Retrieve [WP_Term](https://developer.wordpress.org/reference/classes/wp_term/) instance. | | [delete_network_option()](https://developer.wordpress.org/reference/functions/delete_network_option/)`wp-includes/option.php` | Removes a network option by name. | | [get_network_option()](https://developer.wordpress.org/reference/functions/get_network_option/)`wp-includes/option.php` | Retrieves a network’s option value based on the option name. | | [_wp_batch_split_terms()](https://developer.wordpress.org/reference/functions/_wp_batch_split_terms/)`wp-includes/taxonomy.php` | Splits a batch of shared taxonomy terms. | | [wpdb::strip_invalid_text()](https://developer.wordpress.org/reference/classes/wpdb/strip_invalid_text/)`wp-includes/class-wpdb.php` | Strips any invalid characters based on value/charset pairs. | | [wp_media_attach_action()](https://developer.wordpress.org/reference/functions/wp_media_attach_action/)`wp-admin/includes/media.php` | Encapsulates the logic for Attach/Detach actions. | | [WP_Meta_Query::get_sql_for_clause()](https://developer.wordpress.org/reference/classes/wp_meta_query/get_sql_for_clause/)`wp-includes/class-wp-meta-query.php` | Generates SQL JOIN and WHERE clauses for a first-order query clause. | | [WP_Tax_Query::get_sql_for_clause()](https://developer.wordpress.org/reference/classes/wp_tax_query/get_sql_for_clause/)`wp-includes/class-wp-tax-query.php` | Generates SQL JOIN and WHERE clauses for a “first-order” query clause. | | [WP_Date_Query::get_sql_for_clause()](https://developer.wordpress.org/reference/classes/wp_date_query/get_sql_for_clause/)`wp-includes/class-wp-date-query.php` | Turns a first-order date query into SQL for a WHERE clause. | | [attachment_url_to_postid()](https://developer.wordpress.org/reference/functions/attachment_url_to_postid/)`wp-includes/media.php` | Tries to convert an attachment URL into a post ID. | | [display_setup_form()](https://developer.wordpress.org/reference/functions/display_setup_form/)`wp-admin/install.php` | Displays installer setup form. | | [network_domain_check()](https://developer.wordpress.org/reference/functions/network_domain_check/)`wp-admin/includes/network.php` | Check for an existing network. | | [export_date_options()](https://developer.wordpress.org/reference/functions/export_date_options/)`wp-admin/export.php` | Creates the date options fields for exporting a given post type. | | [export_wp()](https://developer.wordpress.org/reference/functions/export_wp/)`wp-admin/includes/export.php` | Generates the WXR export file for download. | | [WP_User_Search::prepare_query()](https://developer.wordpress.org/reference/classes/wp_user_search/prepare_query/)`wp-admin/includes/deprecated.php` | Prepares the user search query (legacy). | | [get_author_user_ids()](https://developer.wordpress.org/reference/functions/get_author_user_ids/)`wp-admin/includes/deprecated.php` | Get all user IDs. | | [get_editable_user_ids()](https://developer.wordpress.org/reference/functions/get_editable_user_ids/)`wp-admin/includes/deprecated.php` | Gets the IDs of any users who can edit posts. | | [get_nonauthor_user_ids()](https://developer.wordpress.org/reference/functions/get_nonauthor_user_ids/)`wp-admin/includes/deprecated.php` | Gets all users who are not authors. | | [get_others_unpublished_posts()](https://developer.wordpress.org/reference/functions/get_others_unpublished_posts/)`wp-admin/includes/deprecated.php` | Retrieves editable posts from other users. | | [WP_List_Table::months_dropdown()](https://developer.wordpress.org/reference/classes/wp_list_table/months_dropdown/)`wp-admin/includes/class-wp-list-table.php` | Displays a dropdown for filtering items in the list table by month. | | [wpmu_delete_user()](https://developer.wordpress.org/reference/functions/wpmu_delete_user/)`wp-admin/includes/ms.php` | Deletes a user and all of their posts from the network. | | [populate_network()](https://developer.wordpress.org/reference/functions/populate_network/)`wp-admin/includes/schema.php` | Populate network settings. | | [populate_options()](https://developer.wordpress.org/reference/functions/populate_options/)`wp-admin/includes/schema.php` | Create WordPress options and set the default values. | | [maybe_create_table()](https://developer.wordpress.org/reference/functions/maybe_create_table/)`wp-admin/includes/upgrade.php` | Creates a table in the database, if it doesn’t already exist. | | [wp_install_defaults()](https://developer.wordpress.org/reference/functions/wp_install_defaults/)`wp-admin/includes/upgrade.php` | Creates the initial content for a newly-installed site. | | [get_users_drafts()](https://developer.wordpress.org/reference/functions/get_users_drafts/)`wp-admin/includes/user.php` | Retrieve the user’s drafts. | | [wp_delete_user()](https://developer.wordpress.org/reference/functions/wp_delete_user/)`wp-admin/includes/user.php` | Delete user and optionally reassign posts and links to another user. | | [meta_form()](https://developer.wordpress.org/reference/functions/meta_form/)`wp-admin/includes/template.php` | Prints the form in the Custom Fields meta box. | | [parent_dropdown()](https://developer.wordpress.org/reference/functions/parent_dropdown/)`wp-admin/includes/template.php` | Prints out option HTML elements for the page parents drop-down. | | [WP_MS_Sites_List_Table::prepare_items()](https://developer.wordpress.org/reference/classes/wp_ms_sites_list_table/prepare_items/)`wp-admin/includes/class-wp-ms-sites-list-table.php` | Prepares the list of sites for display. | | [update_gallery_tab()](https://developer.wordpress.org/reference/functions/update_gallery_tab/)`wp-admin/includes/media.php` | Adds the gallery tab back to the tabs array if post has image attachments. | | [has_meta()](https://developer.wordpress.org/reference/functions/has_meta/)`wp-admin/includes/post.php` | Returns meta data for the given post ID. | | [get_available_post_mime_types()](https://developer.wordpress.org/reference/functions/get_available_post_mime_types/)`wp-includes/post.php` | Gets all available post MIME types for a given post type. | | [post_exists()](https://developer.wordpress.org/reference/functions/post_exists/)`wp-admin/includes/post.php` | Determines if a post exists based on title, content, date and type. | | [WP_Importer::get_imported_comments()](https://developer.wordpress.org/reference/classes/wp_importer/get_imported_comments/)`wp-admin/includes/class-wp-importer.php` | Sets array with imported comments from WordPress database. | | [WP_Importer::get_imported_posts()](https://developer.wordpress.org/reference/classes/wp_importer/get_imported_posts/)`wp-admin/includes/class-wp-importer.php` | Returns array with imported permalinks from WordPress database. | | [WP_Importer::count_imported_posts()](https://developer.wordpress.org/reference/classes/wp_importer/count_imported_posts/)`wp-admin/includes/class-wp-importer.php` | Returns count of imported permalinks from WordPress database. | | [_wp_delete_orphaned_draft_menu_items()](https://developer.wordpress.org/reference/functions/_wp_delete_orphaned_draft_menu_items/)`wp-admin/includes/nav-menu.php` | Deletes orphaned draft menu items | | [WP_Posts_List_Table::__construct()](https://developer.wordpress.org/reference/classes/wp_posts_list_table/__construct/)`wp-admin/includes/class-wp-posts-list-table.php` | Constructor. | | [comment_exists()](https://developer.wordpress.org/reference/functions/comment_exists/)`wp-admin/includes/comment.php` | Determines if a comment exists based on author and date. | | [WP_User::get_data_by()](https://developer.wordpress.org/reference/classes/wp_user/get_data_by/)`wp-includes/class-wp-user.php` | Returns only the main user fields. | | [wp_get_archives()](https://developer.wordpress.org/reference/functions/wp_get_archives/)`wp-includes/general-template.php` | Displays archive links based on type and format. | | [get_calendar()](https://developer.wordpress.org/reference/functions/get_calendar/)`wp-includes/general-template.php` | Displays calendar with days that have posts as links. | | [delete_usermeta()](https://developer.wordpress.org/reference/functions/delete_usermeta/)`wp-includes/deprecated.php` | Remove user meta data. | | [get_usermeta()](https://developer.wordpress.org/reference/functions/get_usermeta/)`wp-includes/deprecated.php` | Retrieve user metadata. | | [update_usermeta()](https://developer.wordpress.org/reference/functions/update_usermeta/)`wp-includes/deprecated.php` | Update metadata of user. | | [WP_Query::get_posts()](https://developer.wordpress.org/reference/classes/wp_query/get_posts/)`wp-includes/class-wp-query.php` | Retrieves an array of posts based on query variables. | | [WP_Query::parse_search()](https://developer.wordpress.org/reference/classes/wp_query/parse_search/)`wp-includes/class-wp-query.php` | Generates SQL for the WHERE clause based on passed search terms. | | [WP_Query::parse_search_order()](https://developer.wordpress.org/reference/classes/wp_query/parse_search_order/)`wp-includes/class-wp-query.php` | Generates SQL for the ORDER BY condition based on passed search terms. | | [wp_scheduled_delete()](https://developer.wordpress.org/reference/functions/wp_scheduled_delete/)`wp-includes/functions.php` | Permanently deletes comments or posts of any type that have held a status of ‘trash’ for the number of days defined in EMPTY_TRASH_DAYS. | | [do_enclose()](https://developer.wordpress.org/reference/functions/do_enclose/)`wp-includes/functions.php` | Checks content for video and audio links to add as enclosures. | | [_update_post_term_count()](https://developer.wordpress.org/reference/functions/_update_post_term_count/)`wp-includes/taxonomy.php` | Updates term count based on object types of the current taxonomy. | | [_update_generic_term_count()](https://developer.wordpress.org/reference/functions/_update_generic_term_count/)`wp-includes/taxonomy.php` | Updates term count based on number of objects. | | [wp_unique_term_slug()](https://developer.wordpress.org/reference/functions/wp_unique_term_slug/)`wp-includes/taxonomy.php` | Makes term slug unique, if it isn’t already. | | [wp_update_term()](https://developer.wordpress.org/reference/functions/wp_update_term/)`wp-includes/taxonomy.php` | Updates term based on arguments provided. | | [wp_set_object_terms()](https://developer.wordpress.org/reference/functions/wp_set_object_terms/)`wp-includes/taxonomy.php` | Creates term and taxonomy relationships. | | [wp_remove_object_terms()](https://developer.wordpress.org/reference/functions/wp_remove_object_terms/)`wp-includes/taxonomy.php` | Removes term(s) associated with a given object. | | [wp_insert_term()](https://developer.wordpress.org/reference/functions/wp_insert_term/)`wp-includes/taxonomy.php` | Adds a new term to the database. | | [wp_delete_term()](https://developer.wordpress.org/reference/functions/wp_delete_term/)`wp-includes/taxonomy.php` | Removes a term from the database. | | [get_adjacent_post()](https://developer.wordpress.org/reference/functions/get_adjacent_post/)`wp-includes/link-template.php` | Retrieves the adjacent post. | | [wp_version_check()](https://developer.wordpress.org/reference/functions/wp_version_check/)`wp-includes/update.php` | Checks WordPress version against the newest version. | | [ms_allowed_http_request_hosts()](https://developer.wordpress.org/reference/functions/ms_allowed_http_request_hosts/)`wp-includes/http.php` | Adds any domain in a multisite installation for safe HTTP requests to the allowed list. | | [WP_Date_Query::build_time_query()](https://developer.wordpress.org/reference/classes/wp_date_query/build_time_query/)`wp-includes/class-wp-date-query.php` | Builds a query string for comparing time values (hour, minute, second). | | [update_option()](https://developer.wordpress.org/reference/functions/update_option/)`wp-includes/option.php` | Updates the value of an option that was already added. | | [add_option()](https://developer.wordpress.org/reference/functions/add_option/)`wp-includes/option.php` | Adds a new option. | | [delete_option()](https://developer.wordpress.org/reference/functions/delete_option/)`wp-includes/option.php` | Removes an option by name. Prevents removal of protected WordPress options. | | [get_option()](https://developer.wordpress.org/reference/functions/get_option/)`wp-includes/option.php` | Retrieves an option value based on an option name. | | [WP_User_Query::prepare_query()](https://developer.wordpress.org/reference/classes/wp_user_query/prepare_query/)`wp-includes/class-wp-user-query.php` | Prepares the query variables. | | [WP_User_Query::get_search_sql()](https://developer.wordpress.org/reference/classes/wp_user_query/get_search_sql/)`wp-includes/class-wp-user-query.php` | Used internally to generate an SQL string for searching across multiple columns. | | [wp_insert_user()](https://developer.wordpress.org/reference/functions/wp_insert_user/)`wp-includes/user.php` | Inserts a user into the database. | | [count_users()](https://developer.wordpress.org/reference/functions/count_users/)`wp-includes/user.php` | Counts number of users who have each of the user roles. | | [wp_enqueue_media()](https://developer.wordpress.org/reference/functions/wp_enqueue_media/)`wp-includes/media.php` | Enqueues all scripts, styles, settings, and templates necessary to use all media JS APIs. | | [WP_Post::get_instance()](https://developer.wordpress.org/reference/classes/wp_post/get_instance/)`wp-includes/class-wp-post.php` | Retrieve [WP_Post](https://developer.wordpress.org/reference/classes/wp_post/) instance. | | [get_posts_by_author_sql()](https://developer.wordpress.org/reference/functions/get_posts_by_author_sql/)`wp-includes/post.php` | Retrieves the post SQL based on capability, author, and type. | | [wp_delete_attachment()](https://developer.wordpress.org/reference/functions/wp_delete_attachment/)`wp-includes/post.php` | Trashes or deletes an attachment. | | [get_page_by_title()](https://developer.wordpress.org/reference/functions/get_page_by_title/)`wp-includes/deprecated.php` | Retrieves a page given its title. | | [wp_unique_post_slug()](https://developer.wordpress.org/reference/functions/wp_unique_post_slug/)`wp-includes/post.php` | Computes a unique slug for the post, when given the desired slug and some post details. | | [wp_untrash_post_comments()](https://developer.wordpress.org/reference/functions/wp_untrash_post_comments/)`wp-includes/post.php` | Restores comments for a post from the Trash. | | [wp_insert_post()](https://developer.wordpress.org/reference/functions/wp_insert_post/)`wp-includes/post.php` | Inserts or update a post. | | [wp_delete_post()](https://developer.wordpress.org/reference/functions/wp_delete_post/)`wp-includes/post.php` | Trashes or deletes a post or page. | | [wp_trash_post_comments()](https://developer.wordpress.org/reference/functions/wp_trash_post_comments/)`wp-includes/post.php` | Moves comments for a post to the Trash. | | [wp_count_posts()](https://developer.wordpress.org/reference/functions/wp_count_posts/)`wp-includes/post.php` | Counts number of posts of a post type and if user has permissions to view. | | [WP_Rewrite::page_uri_index()](https://developer.wordpress.org/reference/classes/wp_rewrite/page_uri_index/)`wp-includes/class-wp-rewrite.php` | Retrieves all pages and attachments for pages URIs. | | [redirect_canonical()](https://developer.wordpress.org/reference/functions/redirect_canonical/)`wp-includes/canonical.php` | Redirects incoming links to the proper URL based on the site url. | | [redirect_guess_404_permalink()](https://developer.wordpress.org/reference/functions/redirect_guess_404_permalink/)`wp-includes/canonical.php` | Attempts to guess the correct URL for a 404 request based on query vars. | | [_wp_upgrade_revisions_of_post()](https://developer.wordpress.org/reference/functions/_wp_upgrade_revisions_of_post/)`wp-includes/revision.php` | Upgrades the revisions author, adds the current post as a revision and sets the revisions version to 1. | | [get_most_recent_post_of_user()](https://developer.wordpress.org/reference/functions/get_most_recent_post_of_user/)`wp-includes/ms-functions.php` | Gets a user’s most recent post. | | [wpmu_activate_signup()](https://developer.wordpress.org/reference/functions/wpmu_activate_signup/)`wp-includes/ms-functions.php` | Activates a signup. | | [wpmu_validate_user_signup()](https://developer.wordpress.org/reference/functions/wpmu_validate_user_signup/)`wp-includes/ms-functions.php` | Sanitizes and validates data required for a user sign-up. | | [wpmu_validate_blog_signup()](https://developer.wordpress.org/reference/functions/wpmu_validate_blog_signup/)`wp-includes/ms-functions.php` | Processes new site registrations. | | [remove_user_from_blog()](https://developer.wordpress.org/reference/functions/remove_user_from_blog/)`wp-includes/ms-functions.php` | Removes a user from a blog. | | [get_admin_users_for_domain()](https://developer.wordpress.org/reference/functions/get_admin_users_for_domain/)`wp-includes/ms-deprecated.php` | Get the admin for a domain/path combination. | | [ms_not_installed()](https://developer.wordpress.org/reference/functions/ms_not_installed/)`wp-includes/ms-load.php` | Displays a failure message. | | [get_bookmark()](https://developer.wordpress.org/reference/functions/get_bookmark/)`wp-includes/bookmark.php` | Retrieves bookmark data. | | [get_bookmarks()](https://developer.wordpress.org/reference/functions/get_bookmarks/)`wp-includes/bookmark.php` | Retrieves the list of bookmarks. | | [get_blog_list()](https://developer.wordpress.org/reference/functions/get_blog_list/)`wp-includes/ms-deprecated.php` | Deprecated functionality to retrieve a list of all sites. | | [get_blog_status()](https://developer.wordpress.org/reference/functions/get_blog_status/)`wp-includes/ms-blogs.php` | Gets a blog details field. | | [get_last_updated()](https://developer.wordpress.org/reference/functions/get_last_updated/)`wp-includes/ms-blogs.php` | Gets a list of most recently updated blogs. | | [get_blog_details()](https://developer.wordpress.org/reference/functions/get_blog_details/)`wp-includes/ms-blogs.php` | Retrieves the details for a blog from the blogs table and blog options. | | [wp_xmlrpc_server::mt_getTrackbackPings()](https://developer.wordpress.org/reference/classes/wp_xmlrpc_server/mt_gettrackbackpings/)`wp-includes/class-wp-xmlrpc-server.php` | Retrieves trackbacks sent to a given post. | | [wp_xmlrpc_server::pingback_ping()](https://developer.wordpress.org/reference/classes/wp_xmlrpc_server/pingback_ping/)`wp-includes/class-wp-xmlrpc-server.php` | Retrieves a pingback and registers it. | | [wp_xmlrpc_server::pingback_extensions_getPingbacks()](https://developer.wordpress.org/reference/classes/wp_xmlrpc_server/pingback_extensions_getpingbacks/)`wp-includes/class-wp-xmlrpc-server.php` | Retrieves an array of URLs that pingbacked the given URL. | | [wpdb::_insert_replace_helper()](https://developer.wordpress.org/reference/classes/wpdb/_insert_replace_helper/)`wp-includes/class-wpdb.php` | Helper function for insert and replace. | | [wpdb::update()](https://developer.wordpress.org/reference/classes/wpdb/update/)`wp-includes/class-wpdb.php` | Updates a row in the table. | | [wpdb::delete()](https://developer.wordpress.org/reference/classes/wpdb/delete/)`wp-includes/class-wpdb.php` | Deletes a row in the table. | | [wpdb::set_charset()](https://developer.wordpress.org/reference/classes/wpdb/set_charset/)`wp-includes/class-wpdb.php` | Sets the connection’s character set. | | [WP_Comment_Query::get_search_sql()](https://developer.wordpress.org/reference/classes/wp_comment_query/get_search_sql/)`wp-includes/class-wp-comment-query.php` | Used internally to generate an SQL string for searching across multiple columns. | | [trackback()](https://developer.wordpress.org/reference/functions/trackback/)`wp-includes/comment.php` | Sends a Trackback. | | [wp_update_comment_count_now()](https://developer.wordpress.org/reference/functions/wp_update_comment_count_now/)`wp-includes/comment.php` | Updates the comment count for the post. | | [do_trackbacks()](https://developer.wordpress.org/reference/functions/do_trackbacks/)`wp-includes/comment.php` | Performs trackbacks. | | [wp_delete_comment()](https://developer.wordpress.org/reference/functions/wp_delete_comment/)`wp-includes/comment.php` | Trashes or deletes a comment. | | [get_lastcommentmodified()](https://developer.wordpress.org/reference/functions/get_lastcommentmodified/)`wp-includes/comment.php` | Retrieves the date the last comment was modified. | | [wp_allow_comment()](https://developer.wordpress.org/reference/functions/wp_allow_comment/)`wp-includes/comment.php` | Validates whether this comment is allowed to be made. | | [check_comment()](https://developer.wordpress.org/reference/functions/check_comment/)`wp-includes/comment.php` | Checks whether a comment passes internal checks to be allowed to add. | | [delete_metadata()](https://developer.wordpress.org/reference/functions/delete_metadata/)`wp-includes/meta.php` | Deletes metadata for the specified object. | | [get_metadata_by_mid()](https://developer.wordpress.org/reference/functions/get_metadata_by_mid/)`wp-includes/meta.php` | Retrieves metadata by meta ID. | | [add_metadata()](https://developer.wordpress.org/reference/functions/add_metadata/)`wp-includes/meta.php` | Adds metadata for the specified object. | | [update_metadata()](https://developer.wordpress.org/reference/functions/update_metadata/)`wp-includes/meta.php` | Updates metadata for the specified object. If no value already exists for the specified object ID and metadata key, the metadata will be added. | [Show 144 more](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#) [Show less](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#) ## 󠀁[Changelog](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#changelog)󠁿 | Version | Description | | [6.2.0](https://developer.wordpress.org/reference/since/6.2.0/) | Added `%i` for identifiers, e.g. table or field names. Check support via `wpdb::has_cap( 'identifier_placeholders' )`. This preserves compatibility with `sprintf()`, as the C version uses `%d` and `$i` as a signed integer, whereas PHP only supports `%d`. | | [5.3.0](https://developer.wordpress.org/reference/since/5.3.0/) | Formalized the existing and already documented `...$args` parameter by updating the function signature. The second parameter was changed from `$args` to `...$args`. | | [2.3.0](https://developer.wordpress.org/reference/since/2.3.0/) | Introduced. | ## 󠀁[User Contributed Notes](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#user-contributed-notes)󠁿 1. [Skip to note 8 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-1557) 2. [Ian Dunn](https://profiles.wordpress.org/iandunn/) [ 10 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-1557) 3. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-1557) Vote results for this note: 15[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-1557) 4. `prepare()` is often called with each un-sanitized value explicitly passed as an individual argument; for example: 5. `$wpdb->prepare( "SELECT id FROM $wpdb->posts WHERE id > %d AND \`post_status\` = %s", $min_id, $status )` 6. The function will also accept an array of un-sanitized values, though, like this: 7. `$wpdb->prepare( "SELECT id FROM $wpdb->posts WHERE id > %d AND \`post_status\` = %s", array( $min_id, $status ) )` 8. That can be useful in certain circumstances, like when you have a multi-dimensional array where each sub-array contains a different number of items, and so you need to build the placeholders dynamically: 9. ```php foreach ( $new_status_post_id_map as $new_status => $wordcamp_ids ) { $wordcamp_id_placeholders = implode( ', ', array_fill( 0, count( $wordcamp_ids ), '%d' ) ); $prepare_values = array_merge( array( $new_status ), $wordcamp_ids ); $wpdb->query( $wpdb->prepare( " UPDATE `$table_name` SET `post_status` = %s WHERE ID IN ( $wordcamp_id_placeholders )", $prepare_values ) ); } ``` 10. So if a sub-array has 2 items, then `$wordcamp_id_placeholders` will be `'%d, % d'`, and if the next array has 4 items, then its placeholder string would be `'% d, %d, %d, %d'`. 11. In the future, [https://core.trac.wordpress.org/ticket/54042](https://core.trac.wordpress.org/ticket/54042) may provide an easier way to do this. 12. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D1557%23feedback-editor-1557) 13. [Skip to note 9 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-2964) 14. [macbookandrew](https://profiles.wordpress.org/macbookandrew/) [ 7 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-2964) 15. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2964) Vote results for this note: 6[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2964) 16. Argument swapping is not supported in the sense that you can not reuse the same argument several times in a prepare statement. 17. For example, this **does not work** but throws an error because the number of placeholders does not match the number of arguments passed: 18. ```php // Does NOT work due to not enough arguments being passed. $wpdb->prepare( "SELECT * FROM {$wpdb->posts} WHERE `post_date` > %1$s AND `post_title` LIKE %2$s OR `post_content` LIKE %2$s", $post_date, $search_string ); ``` 19. Instead, you need to pass each argument individually: 20. ```php // Pass each argument for every time you need it. $wpdb->prepare( "SELECT * FROM {$wpdb->posts} WHERE `post_date` > %1$s AND `post_title` LIKE %2$s OR `post_content` LIKE %3$s", $post_date, $search_string, $search_string ); ``` 21. * Placeholders like %1$s have been deprecated since version 4.8.2. * [Berdych](https://profiles.wordpress.org/aberdov/) [7 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-3359) 22. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D2964%23feedback-editor-2964) 23. [Skip to note 10 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-5155) 24. [Philipp Stracker](https://profiles.wordpress.org/strackerphil-1/) [ 5 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-5155) 25. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-5155) Vote results for this note: 6[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-5155) 26. **Available placeholders** 27. `%s` – string (value is escaped and wrapped in quotes) `%d` – integer `%f` – float `%%` – % sign 28. **`LIKE` Statements** – use `esc_like()` and use placeholder „%“ in arg-value, not inside the query 29. ```php $my_domain = 'example.com'; $sql = $wpdb->prepare( "SELECT * FROM $wpdb->options WHERE option_value LIKE %s;", '%' . $wpdb->esc_like( $my_domain ) . '%' ); ``` 30. * `%i` is also available now, for escaping table names. See [https://core.trac.wordpress.org/ticket/52506](https://core.trac.wordpress.org/ticket/52506) * [Ian Dunn](https://profiles.wordpress.org/iandunn/) [2 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-6752) 31. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D5155%23feedback-editor-5155) 32. [Skip to note 11 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-2331) 33. [martinkolle](https://profiles.wordpress.org/martinkolle/) [ 9 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-2331) 34. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2331) Vote results for this note: 3[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2331) 35. Reply to [https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-2240](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-2240) Tablename should not be defined like this, because if the prefix is changed or used in a plugin, it will not work on all sites. The proper way is: 36. ```php $table_name = "{$wpdb->prefix}myTable"; $myID = 12; $wpdb->query( $wpdb->prepare( "UPDATE `$table_name` SET `your_column_1` = 1 WHERE `$table_name`.`your_column_id` = %d", $myID ) ); ``` 37. * In your example, the table names are not escaped properly. To escape them properly in WordPress 6.2 or greater, use the %i placeholder, like this: `$table_name = "{$wpdb->prefix}myTable"; $myID = 12; $wpdb->query( $wpdb->prepare( "UPDATE% i SET \`your_column_1\` = 1 WHERE %i.\`your_column_id\` = %d", $table_name, $table_name, $myID ) );` * [flimm](https://profiles.wordpress.org/flimm/) [3 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-6581) 38. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D2331%23feedback-editor-2331) 39. [Skip to note 12 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-7197) 40. [Alex Kozack](https://profiles.wordpress.org/cawa-93/) [ 1 year ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-7197) 41. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-7197) Vote results for this note: 1[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-7197) 42. `$wpdb->prepare("%d", 1); // "1" $wpdb->prepare("%d", 1.1); // "1" $wpdb->prepare("% d", 'string'); // "0" $wpdb->prepare("%d", NULL); // "0" $wpdb->prepare("%d", false); // "0" 43. `$wpdb->prepare("%f", 1); // "1.000000" $wpdb->prepare("%f", 1.1); // "1.100000" $wpdb->prepare("%f", 'string'); // "0.000000" $wpdb->prepare("%f", NULL); // " 0.000000" $wpdb->prepare("%f", false); // "0.000000" 44. `$wpdb->prepare("%s", 1); // "'1'" $wpdb->prepare("%s", 1.1); // "'1.1'" $wpdb- >prepare("%s", 'string'); // "'string'" $wpdb->prepare("%s", NULL); // "''" $wpdb- >prepare("%s", false); // "''" 45. `$wpdb->prepare("%i", 1); // "\`1\`" $wpdb->prepare("%i", 1.1); // "\`1.1\`" $wpdb->prepare("%i", 'string'); // "\`string\`" $wpdb->prepare("%i", NULL); //"\`\`" $wpdb->prepare("%i", false); // "\`\`" 46. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D7197%23feedback-editor-7197) 47. [Skip to note 13 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-5916) 48. [obnirb](https://profiles.wordpress.org/obnirb/) [ 4 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-5916) 49. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-5916) Vote results for this note: 0[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-5916) 50. The code below does not work! 51. ```php $results = $wpdb->get_results($wpdb->prepare( "SELECT `id`, `name`, `desc` ". "FROM `%s` ORDER BY `id`, $table_name)); ``` 52. I would end up with a select statement: SELECT `id`, `name`, `desc` FROM `’table- name’` ORDER BY `id` 53. Even if I remove the ` character from around my %s placeholder, it still will not work because table-name cannot be surrounded by ‘ characters. If $[wpdb](https://developer.wordpress.org/reference/classes/wpdb/)- >prepare could check if my %s placeholder is already surrounded by ` characters and in that case not add ‘ characters around my %s placeholder then the code above would work. 54. So my workaround (for select-statements) is to use sprintf instead (of $[wpdb](https://developer.wordpress.org/reference/classes/wpdb/)- >prepare) and I always check sql statements in Phpmyadmin. 55. * There is no need to use [wpdb](https://developer.wordpress.org/reference/classes/wpdb/)- >prepare for table names. [wpdb](https://developer.wordpress.org/reference/classes/wpdb/)- >prepare is for the variables you get from user input or from front-end via javascript/html form as $_POST,$_GET variables. Table name is always defined and used by the system developer, so there is no need to add extra check for table names. And nobody should put table name to user-facing forms. * [mogo](https://profiles.wordpress.org/mogomogo/) [3 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-6369) * You can now use the `%i` placeholder for table names. See [https://core.trac.wordpress.org/ticket/52506](https://core.trac.wordpress.org/ticket/52506) * [Ian Dunn](https://profiles.wordpress.org/iandunn/) [2 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-6751) * Use `$[wpdb](https://developer.wordpress.org/reference/classes/wpdb/)` table names instead, `"SELECT \`ID\` from \`{$wpdb->posts}\`..."` or for custom tables,`" SELECT \`my_field\` from \`{$wpdb->prefix}my_custom_table\` ... "` * [Aurovrata Venet](https://profiles.wordpress.org/aurovrata/) [2 years ago](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-6795) 56. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D5916%23feedback-editor-5916) 57. [Skip to note 14 content](https://developer.wordpress.org/reference/classes/wpdb/prepare/?output_format=md#comment-content-2240) 58. [wpfanatico.com](https://profiles.wordpress.org/wpfanatico/) [ 9 years ago ](https://developer.wordpress.org/reference/classes/wpdb/prepare/#comment-2240) 59. [You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2240) Vote results for this note: -8[You must log in to vote on the helpfulness of this note](https://login.wordpress.org?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%23comment-2240) 60. Example: Simple update with prepare (one parameter) 61. CASE: Update a column value Where ID column = 12 62. ```php $table_name='myTable'; $myID=12; $wpdb->query($wpdb->prepare("UPDATE `$table_name` SET `your_column_1` = 1 WHERE `$table_name`.`your_column_id` = %d", $myID)); ``` 63. [Log in to add feedback](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F%3Freplytocom%3D2240%23feedback-editor-2240) You must [log in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fdeveloper.wordpress.org%2Freference%2Fclasses%2Fwpdb%2Fprepare%2F) before being able to contribute a note or feedback.