With the update to WordPress 3.5, which happened quite a while ago, a number of popular themes (and some unpopular ones) started displaying the php warnings.
Missing argument 2 for wpdb::prepare(), called in /wp/wp-content/themes/piano-black/sidebar.php on line 75 and defined
In my case, the theme makers don’t speak English, so I’m stuck fixing this baby myself. Piano-black is the name of the theme that I’m using on my old video game blog, which doesn’t get updated much, since I no longer correspond for IGN, sadly.
Any good programmer knows, you need to prepare your queries to avoid nasty little SQL injections. The easiest way to fall victim is to plug a variable right into a SQL statement. A clever and nefarious hacker can very easy put something unintended in that variable, and exploit your code to access the underlining database. This wouldn’t be good.
As shown in the above error, the problem has to do with the incorrect usage of the wpdb::prepare() function. Take this following example:
1 |
$wpdb->prepare("SELECT * FROM list WHERE ID = %d", $id) |
$wpdb->prepare("SELECT * FROM list WHERE ID = %d", $id)
Notice how the %d is a reference to the $id variable. This is important so that the prepare function actually parses your variable before putting it into the SQL statement. Here is the WRONG way of using wpdb::prepare():
1 |
$wpdb->prepare("SELECT * FROM list WHERE ID = $id") |
$wpdb->prepare("SELECT * FROM list WHERE ID = $id")
Since the function is always expecting TWO parameters at a minimum, it is now throwing errors to warn developers of a potential security risk. The downside is that it is also showing potential hackers exactly where your code can be exploited. It’s a double-edged sword that must be fixed as soon as possible. However, if you need to buy yourself time, add the following code to your wp-config.php file:
1 |
@ini_set('display_errors', 0); |
@ini_set('display_errors', 0);
Please understand, this only hides the errors until you can fix them. It does NOT fix the errors. If you leave them, and find yourself hacked, don’t blame me!