As part of the WordPress 6.1 release, wpdb::prepare() has been updated so it can escape Identifiers (such as Table and Field names) with the %i placeholder (#52506).
This ensures these values are escaped correctly and don’t lead to SQL Injection Vulnerabilities.
$table = 'my_table';
$field = 'my_field';
$value = 'my_value';
$wpdb->prepare('SELECT * FROM %i WHERE %i = %s', $table, $field, $value);
// Output:
// SELECT * FROM `my_table` WHERE `my_field` = 'my_value'While this protects you against SQL Injection, where possible you should limit the values the user (attacker) can choose via an allow-list of trusted values; e.g.
$fields = array(
'name' => 'user_nicename',
'url' => 'user_url',
'created' => 'DATE(created)',
);
$sql .= ' ORDER BY ' . ($fields[$order_field] ?? 'user_login');The change to add support for %i has a small performance improvement, as there is a little bit less Regular Expression work involved (generally the more parameters, the better the improvement).
WordPress is looking to use %i in core (#56091).
This change will help developers use the literal-string type for the $query parameter (this is where the $query is written as a developer defined string, and all user values are provided separately).
Props to @davidbaumwald for reviewing this dev note.
WordCamp Asia 2026 brought the global WordPress community to Mumbai, India, from April 9–11, gathering…
WordCamp Asia 2026 will be available to watch live across three days of streaming, making…
April 9-11, 2026 | Jio World Convention Centre, Mumbai, India WordCamp Asia 2026 brings the…
The second Release Candidate (“RC2”) for WordPress 7.0 is ready for download and testing! This…
When WP Engine acquired WPackagist on March 12, the WordPress developer community faced a familiar…
The first Release Candidate (“RC1”) for WordPress 7.0 is ready for download and testing! This…