Let's assume that the $wpdb->query() is properly escaped as needed, so there is no must for use of $wpdb->prepare(). However, some new requirements at Envato, not the w, requires to go over prepare function first, that , in my opinion, has 4 cons:
Hard to read the query text, if we have more than 10 variables out there.
Slows down the website load, if we say we have 500 queries on the plugin.
Is not well suitable for dynamic query params, i.e. for geo-location search that may have, or may not have country, city, state, zip code, street address, apt. number. We cannot use prepare for each of scenarios, as it will get too big in the code-wise.
- There is no need for double-validation. Especially if the given validation is already validated via [A-Z-_0-9] regexp, while the '%s' validation is more global and can allow to save to DB something that we don't to allow.
So how much does $wpdb->prepare(), then $wpdb->query() VS straight $wpdb->query(), can slow down the load time of whole page, and should I need to take care of that.
Let's assume that the $wpdb->query() is properly escaped as needed, so there is no must for use of $wpdb->prepare(). However, some new requirements at Envato, not the w, requires to go over prepare function first, that , in my opinion, has 4 cons:
Hard to read the query text, if we have more than 10 variables out there.
Slows down the website load, if we say we have 500 queries on the plugin.
Is not well suitable for dynamic query params, i.e. for geo-location search that may have, or may not have country, city, state, zip code, street address, apt. number. We cannot use prepare for each of scenarios, as it will get too big in the code-wise.
- There is no need for double-validation. Especially if the given validation is already validated via [A-Z-_0-9] regexp, while the '%s' validation is more global and can allow to save to DB something that we don't to allow.
So how much does $wpdb->prepare(), then $wpdb->query() VS straight $wpdb->query(), can slow down the load time of whole page, and should I need to take care of that.
- Could you elaborate on 3? Why is it not well suitable for such queries? Also... Why do you think it slows down your site? PS. 500 queries is a lot and you should definitely take a look what queries you perform. – Krzysiek Dróżdż Commented Feb 4, 2019 at 15:48
1 Answer
Reset to default 2$wpdb->prepare shouldn't make any significant difference. As you can see here (https://developer.wordpress/reference/classes/wpdb/prepare/#source), it doesn't do much. It's just taking care of proper escaping and formatting variables, so the final query is safe to run.
So if you're asking if there is a big difference between $wpdb->query( $wpdb->prepare( ... ) ) and $wpdb->query( <SAFE_SQL> ), then no - there is no such difference, because you'll have to prepare the <SAFE_SQL> query by yourself, so you will make something very similar to prepare function.
And as for your points:
I don't really think it's harder to read. For me it's even easier, because I clearly see what type of variables go to the query, and what values are passed in there. Of course formatting, naming, and so on are very important to make the code readable.
No, running
prepareshouldn't make a noticeable difference. But... If you have 500 queries, then you should take a look at them, because it's really a lot of queries.Why isn't it suitable for dynamic queries? There are a lot of dynamic queries in WP and all of them are constructed with
preparemethod. Just take a look atWP_Query::get_postsmethod - it's called almost everywhere in WP and it constructs highly dynamic query, based on many parameters and additional filters...Yes, there is. Validation is one thing. Escaping is another thing. And sanitization is another one. Every one of these steps is important for your site safety.