Escaping Table and Field names with wpdb::prepare() in WordPress 6.1

As part of the WordPress 6.1 release, wpdb::prepare() has been updated so it can escape Identifiers (such as Table and Field names) with the %i placeholder (#52506). This ensures these values are escaped correctly and don’t lead to SQL Injection Vulnerabilities. Example $table = ‘my_table’; $field = ‘my_field’; $value = ‘my_value’; $wpdb->prepare(‘SELECT * FROM %i WHERE %i = %s’, $table, $field, $value); // Output: // SELECT * FROM `my_table` WHERE `my_field` = ‘my_value’ While this protects you against SQL Injection, where possible you should limit the values the user (attacker) can choose via an allow-list of trusted values; e.g. $fields =

source https://www.worldofwp.com/escaping-table-and-field-names-with-wpdbprepare-in-wordpress-6-1/