Been reading up a lot on prepared statements, and one thing I read, was that if your using the global $wpdb class, is that you shouldn't need to pre-sanitize.
The following bit of code below uses the $wpdb class, and would like to know, whether the following code would be safe as it is, or whether a prepared statement, should be introduced???
$products = $wpdb->get_results( "SELECT `cart`.`prodid`,
`cart`.`name`
FROM `" . WPSC_TABLE_CART_CONTENTS . "` AS `cart`
INNER JOIN `" . WPSC_TABLE_PURCHASE_LOGS . "` AS `logs`
ON `cart`.`purchaseid` = `logs`.`id`
WHERE `logs`.`processed` >= 2
AND `logs`.`date` >= " . $months[0] . "
GROUP BY `cart`.`prodid`
ORDER BY SUM(`cart`.`price` * `cart`.`quantity`) DESC
LIMIT 4", ARRAY_A ); //get 4 products with top income in 4 last months.
Should the above code be changed to the following?
$products = $wpdb->get_results( $wpdb->prepare( "SELECT `cart`.`prodid`,
`cart`.`name`
FROM `%s` AS `cart`
INNER JOIN `%s` AS `logs`
ON `cart`.`purchaseid` = `logs`.`id`
WHERE `logs`.`processed` >= 2
AND `logs`.`date` >= %s
GROUP BY `cart`.`prodid`
ORDER BY SUM(`cart`.`price` * `cart`.`quantity`) DESC
LIMIT 4", WPSC_TABLE_CART_CONTENTS, WPSC_TABLE_PURCHASE_LOGS, $months[0]), ARRAY_A )); //get 4 products with top income in 4 last months.
Read up on the wpdb class, and introduced a prepared statement.
You need to do that only for user input queries to avoid any code injection.
For example, if
$months[0]is coming from some user input parameter, sure, use thepreparestatement, but all your current variables appear to be hard coded, there's no need for it.