When working with queries in WordPress, it’s always best to prepare the query before running it; however, if you happen to be interfacing with a third-party API or working with another variant of SQL (like Transact-SQL), then things may work a little differently.
sprintf and LIKE in SQL
Some background on the problem at hand:
Say that you’re working on a project in which you’re making calls to a third-party API and the said API uses T-SQL to interface with its database.
Further, let’s say that you want to retrieve records that have a segment of the string to be queried (you know, a LIKE, clause). The caveat is that you can’t use the standard prepare function as provided by WordPress so you opt to use sprintf to help sanitize the incoming information.
Since sprintf uses
%s for strings and since you’re using a LIKE clause which also requires
%, how does one handle the case of using both?
Here’s an example of how it may work for you:
Of course, I still think using some type of escaping on the
$name argument but there are a number of different ways to do this and it’s beyond the point of this post.
In short, prefix and suffix the
%% and you should be good to go.