Hotaru Docs


Database prepare() Function

The prepare() function in ez_sql_core.php is borrowed and adapted from Wordpress. It's used for preventing accidental malformed queries (Wordpress docs here).

Instead of quoted strings and digits in your SQL query, simply replace them with %s or %d respectively, then pass the actual values to the prepare function which will return a correctly formed SQL query.


$sql = "SELECT * FROM " . TABLE_POSTS . " WHERE post_id = %d";
$query = $h->prepare($sql, 16); // $sql is a string
$post = $h->get_row($query);

There are more examples here.

There is one significant difference between the Wordpress version and Hotaru's: the ability to pass an array of arguments built on the fly. Instead of just using the original $db->prepare($sql, $var1, $var2, etc.), we can add the SQL query to the head of an array followed by an unknown number of arguments within the array. That array is then sent to the prepare() function which checks if the first argument is an array. If so, it works with the array elements just as if they had been passed to the function the traditional way.


$sql[0] = "SELECT * FROM " . TABLE_POSTS . " WHERE post_id = %d";
$sql[1] = 16;
$query = $h->prepare($sql); // $sql is an array
$post = $h->get_row($query);
Getting StartedDesign and LayoutPlugin DevelopmentAdvanced TopicsFunction ReferenceTroubleshooting